Splunk Search

Search by keywords - Fetch events occurred 30 min before and after that particular event


Is there any built-in command to fetch events before and after (for a specific time-duration) a particular keyword/eventtype ?

I wanted to filter events with a specific keyword ( index=* host= keyword=account-locked)
- this will get me the events with these keywords

Now, I wanted to fetch events occurred before and after 30 min at this particular event.

Please help.

0 Karma

Esteemed Legend

Do it exactly like this:

index=* *IKE Initiator sending 3rd QM pkt* | eval starttime=_time-180 | eval endtime=_time+180 | map search="search index=* earliest=$starttime$ latest=$endtime$"
0 Karma


On a side note, you can also do this manually. Find an event you are interested in and click on the timestamp. From there, you can select the time range around this particular event that you want to look at.

0 Karma


Thanks, but still I am setting this as an alert.

0 Karma


Hi splunker12er,

yes, there is one. Try map like this:

index=* host= keyword=account-locked
| map search="search what ever you want earliest=-30min@min latest=+30min@min

This will search your base event and uses each found event and searches around it.
Just remember that your base search must overlap the time range of the map search 😉

Hope this helps ...

cheers, MuS


am in correct ?

0 Karma


I am searching for the keyword : IKE Initiator sending 3rd QM pkt

My search query :
index=* IKE Initiator sending 3rd QM pkt

Now , i run |map query to get events , but it doesn't return any results:

alt text

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...