Is there any built-in command to fetch events before and after (for a specific time-duration) a particular keyword/eventtype ?
I wanted to filter events with a specific keyword ( index=* host=10.0.0.1 keyword=account-locked)
- this will get me the events with these keywords
Now, I wanted to fetch events occurred before and after 30 min at this particular event.
Please help.
Thnx
Do it exactly like this:
index=* 10.0.2.1. *IKE Initiator sending 3rd QM pkt* | eval starttime=_time-180 | eval endtime=_time+180 | map search="search index=* earliest=$starttime$ latest=$endtime$"
On a side note, you can also do this manually. Find an event you are interested in and click on the timestamp. From there, you can select the time range around this particular event that you want to look at.
Thanks, but still I am setting this as an alert.
Hi splunker12er,
yes, there is one. Try map
like this:
index=* host=10.0.0.1 keyword=account-locked
| map search="search what ever you want earliest=-30min@min latest=+30min@min
This will search your base event and uses each found event and searches around it.
Just remember that your base search must overlap the time range of the map search 😉
Hope this helps ...
cheers, MuS
am in correct ?
I am searching for the keyword : IKE Initiator sending 3rd QM pkt
My search query :
index=* 10.0.2.1 IKE Initiator sending 3rd QM pkt
Now , i run |map
query to get events , but it doesn't return any results: