Splunk Search

Search by keywords - Fetch events occurred 30 min before and after that particular event

Motivator

Is there any built-in command to fetch events before and after (for a specific time-duration) a particular keyword/eventtype ?

I wanted to filter events with a specific keyword ( index=* host=10.0.0.1 keyword=account-locked)
- this will get me the events with these keywords

Now, I wanted to fetch events occurred before and after 30 min at this particular event.

Please help.
Thnx

0 Karma

Esteemed Legend

Do it exactly like this:

index=* 10.0.2.1. *IKE Initiator sending 3rd QM pkt* | eval starttime=_time-180 | eval endtime=_time+180 | map search="search index=* earliest=$starttime$ latest=$endtime$"
0 Karma

Champion

On a side note, you can also do this manually. Find an event you are interested in and click on the timestamp. From there, you can select the time range around this particular event that you want to look at.

0 Karma

Motivator

Thanks, but still I am setting this as an alert.

0 Karma

SplunkTrust
SplunkTrust

Hi splunker12er,

yes, there is one. Try map like this:

index=* host=10.0.0.1 keyword=account-locked
| map search="search what ever you want earliest=-30min@min latest=+30min@min

This will search your base event and uses each found event and searches around it.
Just remember that your base search must overlap the time range of the map search 😉

Hope this helps ...

cheers, MuS

Motivator

am in correct ?

0 Karma

Motivator

I am searching for the keyword : IKE Initiator sending 3rd QM pkt

My search query :
index=* 10.0.2.1 IKE Initiator sending 3rd QM pkt

Now , i run |map query to get events , but it doesn't return any results:

alt text

0 Karma