How to show logs happened 2 min before and 2 min a...

ivana27 · ‎03-02-2021

Hi Splunkers,

i have search like this

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --"
| search "Get Da Transaction NOK --> Payment:OK"

And i want to display logs 2 logs before searched one and 2 logs after searched one.

Thank you

tscroggins · ‎03-07-2021

@ivana27

If you want to find transactions two minutes around the middlemost occurrence of your search string, you might use:

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --"
| eventstats median(eval(case(like(_raw, "%Get Da Transaction NOK --> Payment:OK%"), _time))) as mid_time
| where _time>=relative_time(mid_time, "-2m") AND _time<=relative_time(mid_time, "+2m")

If you want to find transactions two minutes before and after the earliest and latest occurrences of your search string, you might use:

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = RequestDa" endswith="[Information] -- START TRANSACTION --"
| eventstats min(eval(case(like(_raw, "%Get Da Transaction NOK --> Payment:OK%"), _time))) as min_time max(eval(case(like(_raw, "%Get Da Transaction NOK --> Payment:OK%"), _time))) as max_time
| where _time>=relative_time(min_time, "-2m") AND _time<=relative_time(max_time, "+2m")

How to show logs happened 2 min before and 2 min after certain log

rex

transaction

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to show logs happened 2 min before and 2 min after certain log

rex

transaction

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!