Splunk Search

display rows between 2 searches

splunkpaterd2
Explorer

Good morning,

 

suppose I have the following entries in my file :

BEGIN

 abc

def

END;

BEGIN

 xyz

END;

***

I want to search for the sentence BEGIN and the sentence with END;

As a result I want to have the search entries BEGIN and END including the rows between.

 

Regards

 

Dik Pater

 

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults | eval _raw="2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC;
2021-03-17T11:08:26,400 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID,
2021-03-17T11:08:26,401 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1,
2021-03-17T11:08:26,402 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2,
2021-03-17T11:08:26,403 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1;
2021-03-17T11:08:26,404 INFO [00000018] :dikpater@nowhere - 8 RUN;"
| multikv noheader=t
| fields - Column_1


| eval _time=strptime(_raw,"%Y-%m-%dT%H:%M:%S,%Q")

| sort - _time
| transaction startswith="PROC SQL" endswith="RUN" mvraw=t

The first part sets up dummy data in line with your example

The second part may or may not be needed if you already have _time extracted as an epoch time

The transaction command needs event sorted in descending _time order

I used mvraw=t which may or may not be required depending on how you want to proceed

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

On the face of it, it seems like the transaction command is the one you should be looking at

0 Karma

splunkpaterd2
Explorer

I did not succeed, so if you have the solution for me please post it.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you post some more realistic anonymised data?

0 Karma

splunkpaterd2
Explorer

2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC;
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID,
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1,
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2,
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1;
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 8 RUN;

So if I search for PROC SQL until RUN; 

thats what I need to get back.

 

TIA 

 

Dik Pater

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults | eval _raw="2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC;
2021-03-17T11:08:26,400 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID,
2021-03-17T11:08:26,401 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1,
2021-03-17T11:08:26,402 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2,
2021-03-17T11:08:26,403 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1;
2021-03-17T11:08:26,404 INFO [00000018] :dikpater@nowhere - 8 RUN;"
| multikv noheader=t
| fields - Column_1


| eval _time=strptime(_raw,"%Y-%m-%dT%H:%M:%S,%Q")

| sort - _time
| transaction startswith="PROC SQL" endswith="RUN" mvraw=t

The first part sets up dummy data in line with your example

The second part may or may not be needed if you already have _time extracted as an epoch time

The transaction command needs event sorted in descending _time order

I used mvraw=t which may or may not be required depending on how you want to proceed

splunkpaterd2
Explorer

Thanks for your excellent answer .

My collegues are happy with this and can now continue to answer some auditing questions.

Regards,

 

Dik Pater

The Netherlands

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...