Search by keywords - Fetch events occurred 30 min ...

splunker12er · ‎07-07-2015

Is there any built-in command to fetch events before and after (for a specific time-duration) a particular keyword/eventtype ?

I wanted to filter events with a specific keyword ( index=* host=10.0.0.1 keyword=account-locked)
- this will get me the events with these keywords

Now, I wanted to fetch events occurred before and after 30 min at this particular event.

Please help.
Thnx

woodcock · ‎07-08-2015

Do it exactly like this:

index=* 10.0.2.1. *IKE Initiator sending 3rd QM pkt* | eval starttime=_time-180 | eval endtime=_time+180 | map search="search index=* earliest=$starttime$ latest=$endtime$"

jeffland · ‎07-08-2015

On a side note, you can also do this manually. Find an event you are interested in and click on the timestamp. From there, you can select the time range around this particular event that you want to look at.

splunker12er · ‎07-08-2015

Thanks, but still I am setting this as an alert.

MuS · ‎07-07-2015

Hi splunker12er,

yes, there is one. Try map like this:

index=* host=10.0.0.1 keyword=account-locked
| map search="search what ever you want earliest=-30min@min latest=+30min@min

This will search your base event and uses each found event and searches around it.
Just remember that your base search must overlap the time range of the map search 😉

Hope this helps ...

cheers, MuS

splunker12er · ‎07-07-2015

am in correct ?

splunker12er · ‎07-07-2015

I am searching for the keyword : IKE Initiator sending 3rd QM pkt

My search query :
index=* 10.0.2.1 IKE Initiator sending 3rd QM pkt

Now , i run |map query to get events , but it doesn't return any results:

Search by keywords - Fetch events occurred 30 min before and after that particular event

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life