search all event after specific string

indeed_2000 · ‎07-07-2021

Hi

1-I want to search result return everything after specific event till now.

for example: index=main | search "start service now"

expected result is all events after this event till now

2-after return all events after specific string in next step add specific field count incrementally.

for example: i have field that call "Module" count increment overtime like below:

index=main | table _time Module

08:30 10

08:37 15

08:38 30

08:40 40

08:58 43

.

Any idea?

Thanks

gcusello · ‎07-07-2021

about the first question, you could try something like this:

index=main [ search index=main "start service now" | eval earliest=_time | fields earliest ]
| ...

About the second question, could you better describe your need?

Ciao.

Giuseppe

indeed_2000 · ‎07-07-2021

Thank you for reply, first question resolved.

about second one let me tell you another example:

I have log file that each minute store 1 event like this

8:00 1

8:01 1

8:02 1

instead of counting i want store last value and add new value to that, like this:

8:48 2

8:49 12 (10+2)

8:50 20 (3+12)

8:51 21 (1+20)

…

any idea?

Thanks

Are you a member of the Splunk Community?