Search for event when preceded or followed by anot...

khodges_splunk · ‎09-07-2011

How can I search for an event x, only when preceded or followed by event y? I.e., I only want x when y is immediately adjacent.

acdevlin · ‎09-07-2011

I think you'll want to use the transaction command. You can use the "startswith", "endswith", and "maxevents" options to further customize the query. Here's one example for event X followed by event Y.

... | transaction startswith="event x" endswith="event y" maxevents=2

You could then use an append to get the transactions with event Y before event X if you want to keep the whole process as just one search. However, this will cause a dramatic slowdown since the subsearch requires a second pass; I would recommend avoiding the following if high performance is an important goal.

... | transaction startswith="event x" endswith="event y" maxevents=2 | append [search <your search here> | transaction startswith="event y" endswith="event x" maxevents=2]

Does this help answer your question?

Search for event when preceded or followed by another event.

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

Search for event when preceded or followed by another event.

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk