Solved: display rows between 2 searches

splunkpaterd2 · ‎03-31-2021

Good morning,

suppose I have the following entries in my file :

BEGIN

abc

def

END;

BEGIN

xyz

END;

***

I want to search for the sentence BEGIN and the sentence with END;

As a result I want to have the search entries BEGIN and END including the rows between.

Regards

Dik Pater

ITWhisperer · ‎04-01-2021

| makeresults | eval _raw="2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC;
2021-03-17T11:08:26,400 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID,
2021-03-17T11:08:26,401 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1,
2021-03-17T11:08:26,402 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2,
2021-03-17T11:08:26,403 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1;
2021-03-17T11:08:26,404 INFO [00000018] :dikpater@nowhere - 8 RUN;"
| multikv noheader=t
| fields - Column_1


| eval _time=strptime(_raw,"%Y-%m-%dT%H:%M:%S,%Q")

| sort - _time
| transaction startswith="PROC SQL" endswith="RUN" mvraw=t

The first part sets up dummy data in line with your example

The second part may or may not be needed if you already have _time extracted as an epoch time

The transaction command needs event sorted in descending _time order

I used mvraw=t which may or may not be required depending on how you want to proceed

View solution in original post

ITWhisperer · ‎03-31-2021

On the face of it, it seems like the transaction command is the one you should be looking at

splunkpaterd2 · ‎03-31-2021

I did not succeed, so if you have the solution for me please post it.

ITWhisperer · ‎03-31-2021

Can you post some more realistic anonymised data?

splunkpaterd2 · ‎04-01-2021

2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC;
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID,
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1,
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2,
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1;
2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 8 RUN;

So if I search for PROC SQL until RUN;

thats what I need to get back.

TIA

Dik Pater

ITWhisperer · ‎04-01-2021

| makeresults | eval _raw="2021-03-17T11:08:26,399 INFO [00000018] :dikpater@nowhere - 3 PROC SQL NOEXEC;
2021-03-17T11:08:26,400 INFO [00000018] :dikpater@nowhere - 4 SELECT t1.ID,
2021-03-17T11:08:26,401 INFO [00000018] :dikpater@nowhere - 5 t1.KOLOM1,
2021-03-17T11:08:26,402 INFO [00000018] :dikpater@nowhere - 6 t1.KOLOM2,
2021-03-17T11:08:26,403 INFO [00000018] :dikpater@nowhere - 7 FROM mytable t1;
2021-03-17T11:08:26,404 INFO [00000018] :dikpater@nowhere - 8 RUN;"
| multikv noheader=t
| fields - Column_1


| eval _time=strptime(_raw,"%Y-%m-%dT%H:%M:%S,%Q")

| sort - _time
| transaction startswith="PROC SQL" endswith="RUN" mvraw=t

The first part sets up dummy data in line with your example

The second part may or may not be needed if you already have _time extracted as an epoch time

The transaction command needs event sorted in descending _time order

I used mvraw=t which may or may not be required depending on how you want to proceed

splunkpaterd2 · ‎04-06-2021

Thanks for your excellent answer .

My collegues are happy with this and can now continue to answer some auditing questions.

Regards,

Dik Pater

The Netherlands

display rows between 2 searches

regex

search job inspector

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Mastering Data Pipelines: Unlocking Value with Splunk