Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for event when preceded or followed by another event.

khodges_splunk
Splunk Employee
Splunk Employee
‎09-07-2011 09:45 AM

How can I search for an event x, only when preceded or followed by event y? I.e., I only want x when y is immediately adjacent.

Tags (1)
0 Karma
Reply

acdevlin
Communicator
‎09-07-2011 10:01 AM

I think you'll want to use the transaction command. You can use the "startswith", "endswith", and "maxevents" options to further customize the query. Here's one example for event X followed by event Y.

... | transaction startswith="event x" endswith="event y" maxevents=2

You could then use an append to get the transactions with event Y before event X if you want to keep the whole process as just one search. However, this will cause a dramatic slowdown since the subsearch requires a second pass; I would recommend avoiding the following if high performance is an important goal.

... | transaction startswith="event x" endswith="event y" maxevents=2 | append [search <your search here> | transaction startswith="event y" endswith="event x" maxevents=2]

Does this help answer your question?

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...