Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to show logs happened 2 min before and 2 min after certain log

ivana27
Path Finder
‎03-02-2021 02:34 AM

Hi Splunkers,

i have search like this

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --"
| search "Get Da Transaction NOK --> Payment:OK"

And i want to display logs 2 logs before searched one and 2 logs after searched one.

Thank you

Labels (2)
Labels
0 Karma
Reply

tscroggins
Influencer
‎03-07-2021 10:40 AM

@ivana27 

If you want to find transactions two minutes around the middlemost occurrence of your search string, you might use:

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --"
| eventstats median(eval(case(like(_raw, "%Get Da Transaction NOK --> Payment:OK%"), _time))) as mid_time
| where _time>=relative_time(mid_time, "-2m") AND _time<=relative_time(mid_time, "+2m")

If you want to find transactions two minutes before and after the earliest and latest occurrences of your search string, you might use:

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --"
| eventstats min(eval(case(like(_raw, "%Get Da Transaction NOK --> Payment:OK%"), _time))) as min_time max(eval(case(like(_raw, "%Get Da Transaction NOK --> Payment:OK%"), _time))) as max_time
| where _time>=relative_time(min_time, "-2m") AND _time<=relative_time(max_time, "+2m")

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...