Splunk Search

How to write a search to show events immediately before and after a certain field value changes?

dbcase
Motivator

Hi,

I'm searching through logs and I need to see the events that occur when one field value changes.

Example:
Http status=200 repeats 5000 times, then the Http status changes to 401. I need to see the events immediately before and immediately after the status code change

Tags (2)
0 Karma

cmerriman
Super Champion

you could do a

.... |  streamstats current=f window=1 values(httpStatus) as previousHttpStatus by _time|where previousHttpStatus!=httpStatus

or some variation that would work for your needs

documentation on streamstats
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats

teekayx
Path Finder

streamstats indeed! if used in conjunction with 'reset_on_change' argument for streamstats, you could locate the events with the value changes.

0 Karma

dbcase
Motivator

The Autoregress seems to work great! Although (and I didn't ask for this the first time) is there a way to see the events (lets say 10 events prior and 10 events post) the httpStatus change?

0 Karma

somesoni2
Revered Legend

Another variation of this approach is using autoregress command (does the same thing but give more cleaner look.)

your base search | autoregress httpStatus as prevHttpStatus |where previousHttpStatus!=httpStatus
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...