Is there any optimal way to get context bith befor...

Manish_Sharma · ‎10-17-2023

Is there any optimal way to get context bith before and after fir search result?

As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message.

inventsekar · ‎10-17-2023

@Manish_Sharma wrote:
As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message.

Hi @Manish_Sharma ... by the "10 lines before and after", i assume you would like to see the 10 logs/events before the "error" log/event.

if so, you can try this step..

expand the "error" log/event... it will have a field "_time" with a drop down arrow.

when you click that drop down.. You can find the "Nearby Events".. you can add 5 seconds(or mins or hrs, etc) plus or minus.

fredclown · ‎10-18-2023

That will not show the source file lines surrounding the event. It will just change the time range. the base search will still apply and only show events with Error in them. You won't get the non-error lines before and after. Also, if the source and host are not specified in the base search you may get events from other sources and hosts.

Manish_Sharma · ‎10-18-2023

Correct @fredclown , It will search for base search even if we change the tine frame. Apart from using show source option any other way or command to get such details.

fredclown · ‎10-17-2023

If you expand the event details using the chevron next to the event you will see a drop down that says Event Actions. Click that and select "Show Source". This will show you the lines before and after the event.

fredclown · ‎10-18-2023

Another option would be to create a dashboard with the base search to pull up the errors and then use a drill down to get the rest of the detail. Here is some example simple xml for a dashboard.

<form theme="dark">
  <label>Error Dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="timePicker">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype IN (splunkd) AND ERROR
| table _time index host source sourcetype _raw</query>
          <earliest>$timePicker.earliest$</earliest>
          <latest>$timePicker.latest$</latest>
        </search>
        <option name="count">5</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <drilldown>
          <eval token="tok_time_earliest">$click.value$ - 10</eval>
          <eval token="tok_time_latest">$click.value$ + 10</eval>
          <set token="tok_index">$row.index$</set>
          <set token="tok_host">$row.host$</set>
          <set token="tok_source">$row.source$</set>
          <set token="tok_sourcetype">$row.sourcetype$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$tok_index$">
      <title></title>
      <event>
        <search>
          <query>index=$tok_index|s$ host=$tok_host|s$ source=$tok_source|s$ sourcetype=$tok_sourcetype|s$ earliest=$tok_time_earliest|s$ latest=$tok_time_latest|s$
| highlight error</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="type">raw</option>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

Is there any optimal way to get context bith before and after fir search result

other

transaction

tstats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio