Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for a keyword2 with in 10 minutes after keyword1 occured in events?

SapthagiriAavik
Explorer
‎06-29-2018 03:10 AM

I have a events log something like this,

2018-06-29 03:34:23.090 -5 Thread-55 CM 6107 1 Content Manager is unable to process the request.

2018-06-29 03:39:23.090 -5 Thread-85 CM 6186 1 Event Solution Assigned URL http://*";

If this keyword1 occurred "Content Manager is unable to process the request" ,then I want to search for this keyword2 " Event Solution Assigned URL http://*"; within 10 minutes. if keyword2 not occurred within 10 minutes I want to send an alert

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-29-2018 08:45 PM

Like this:

Your Search For both Events Here
| reverse
| streamstats count(eval(searchmatch("Content Manager"))) AS sessionID
| eventstats first(_time) AS start_time BY sessionID
| eval secondsaway = _time - start_time
| where secondsaway < (10 * 60)
0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...