Splunk Search

Is there any optimal way to get context bith before and after fir search result

Manish_Sharma
Engager

Is there any optimal way to get context bith before and after fir search result?

As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message.

 

Labels (3)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

@Manish_Sharma wrote:

As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message.


Hi @Manish_Sharma ... by the "10 lines before and after",  i assume you would like to see the 10 logs/events before the "error" log/event. 

if so, you can try this step..

expand the "error" log/event... it will have a field "_time" with a drop down arrow. 

when you click that drop down.. You can find the "Nearby Events".. you can add 5 seconds(or mins or hrs, etc) plus or minus. 

nearby-events.jpg

0 Karma

fredclown
Contributor

That will not show the source file lines surrounding the event. It will just change the time range. the base search will still apply and only show events with Error in them. You won't get the non-error lines before and after. Also, if the source and host are not specified in the base search you may get events from other sources and hosts.

Manish_Sharma
Engager

Correct @fredclown , It will search for base search even if we change the tine frame. Apart from using show source option any other way or command to get such details. 

0 Karma

fredclown
Contributor

If you expand the event details using the chevron next to the event you will see a drop down that says Event Actions. Click that and select "Show Source". This will show you the lines before and after the event.

0 Karma

fredclown
Contributor

Another option would be to create a dashboard with the base search to pull up the errors and then use a drill down to get the rest of the detail. Here is some example simple xml for a dashboard.

<form theme="dark">
  <label>Error Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="timePicker">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype IN (splunkd) AND ERROR
| table _time index host source sourcetype _raw</query>
          <earliest>$timePicker.earliest$</earliest>
          <latest>$timePicker.latest$</latest>
        </search>
        <option name="count">5</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <drilldown>
          <eval token="tok_time_earliest">$click.value$ - 10</eval>
          <eval token="tok_time_latest">$click.value$ + 10</eval>
          <set token="tok_index">$row.index$</set>
          <set token="tok_host">$row.host$</set>
          <set token="tok_source">$row.source$</set>
          <set token="tok_sourcetype">$row.sourcetype$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$tok_index$">
      <title></title>
      <event>
        <search>
          <query>index=$tok_index|s$ host=$tok_host|s$ source=$tok_source|s$ sourcetype=$tok_sourcetype|s$ earliest=$tok_time_earliest|s$ latest=$tok_time_latest|s$
| highlight error</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="type">raw</option>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...