search all event after specific string

indeed_2000 · ‎07-07-2021

Hi

1-I want to search result return everything after specific event till now.

for example: index=main | search "start service now"

expected result is all events after this event till now

2-after return all events after specific string in next step add specific field count incrementally.

for example: i have field that call "Module" count increment overtime like below:

index=main | table _time Module

08:30 10

08:37 15

08:38 30

08:40 40

08:58 43

.

Any idea?

Thanks

gcusello · ‎07-07-2021

Hi @indeed_2000,

about the first question, you could try something like this:

index=main [ search index=main "start service now" | eval earliest=_time | fields earliest ]
| ...

About the second question, could you better describe your need?

Ciao.

Giuseppe

indeed_2000 · ‎07-07-2021

Hi @gcusello

Thank you for reply, first question resolved.

about second one let me tell you another example:

I have log file that each minute store 1 event like this

8:00 1

8:01 1

8:02 1

instead of counting i want store last value and add new value to that, like this:

8:48 2

8:49 12 (10+2)

8:50 20 (3+12)

8:51 21 (1+20)

…

any idea?

Thanks

search all event after specific string

count

eval

field extraction

lookup

metadata

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation

search all event after specific string

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.