Splunk Search

How to pull next 5 events that meet criteria after different event?

nkavouris
Explorer

I am looking to record a measurement which is taken after the transition from Home state to Diagnostic State, I am calling the state change the keystone event

the raw keystone event looks like so:

{"bootcount":26,"device_id":"X","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC",
"
location":{"city":"X","country":"X","latitude":X,"longitude":X,"state":"X"},"log_level":"info",
"
message":"client: GCL internal state { new_state: Diagnostic, old_state: Home, conditions: 65600, error_code: 0}",
"
model_number":"X1","sequence":274,"serial":"123X","software_version":"2.3.1.7682","ticks":26391,"timestamp":1723254756}

 my search to find the keystone event looks like:

index="june_analytics_logs_prod" message=* new_state: Diagnostic, old_state: Home* NOT message=*counts*|

 After the keystone event, I would like to take the measurements found in the immediate next 5 events, i will call these the data events.


the raw data events look like:

{"bootcount":26,"device_id":"x","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC",
"
location":{"city":"X","country":"X","latitude":X,"longitude":X,"state":"X"},"log_level":"info",
"
message":"client: fan: 2697, auger: 1275, glow_v: 782, glow: false, fuel: 0, cavity_temp: 209",
"
model_number":"X1","sequence":280,"serial":"123X","software_version":"2.3.1.7682","ticks":26902,"timestamp":1723254761}

I would like to take the first 5 data events directly after the keystone event, extract the glow_v value and take the median of these 5 values as the accepted value.

 

In short, want to build a query to find the time of a keystone event, use this time to find the immediately proceeding data events that match certain criteria, extract the glow_v value from these data events and then take the median of these glow_v values

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. There are some thing highly suboptimal with your search (especially the use of wildcards). But I'm not digging into it at the moment.

Also be aware that "next" might not mean the same for everyone so you should be precise when specifying your problem. By default Splunk returns data in reverse chronological order so Splunk's "next" event will actually be a previous event time-wise.

Anyway, the way to match something and some subsequent events (again - in Splunk's order - you might want to reverse or sort your events before doing so) is to use streamstats command with count function and change_on parameter and then simply filter on events only having that count value below given threshold.

0 Karma

nkavouris
Explorer
  1. What would be a better method to find events where the message field contains " new_state: Diagnostic, old_state: Home" as opposed to wildcards?
  2. I am looking for the events directly chronologically after the keystone event. that is a time stamp more recent than the keystone event?
  3. How would I structure this streamstats command in the rest of my query? That is, there is separate criteria which the data events must meet in order to be viable
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...