search all event after specific string

indeed_2000 · ‎07-07-2021

Hi

1-I want to search result return everything after specific event till now.

for example: index=main | search "start service now"

expected result is all events after this event till now

2-after return all events after specific string in next step add specific field count incrementally.

for example: i have field that call "Module" count increment overtime like below:

index=main | table _time Module

08:30 10

08:37 15

08:38 30

08:40 40

08:58 43

.

Any idea?

Thanks

gcusello · ‎07-07-2021

Hi @indeed_2000,

about the first question, you could try something like this:

index=main [ search index=main "start service now" | eval earliest=_time | fields earliest ]
| ...

About the second question, could you better describe your need?

Ciao.

Giuseppe

indeed_2000 · ‎07-07-2021

Hi @gcusello

Thank you for reply, first question resolved.

about second one let me tell you another example:

I have log file that each minute store 1 event like this

8:00 1

8:01 1

8:02 1

instead of counting i want store last value and add new value to that, like this:

8:48 2

8:49 12 (10+2)

8:50 20 (3+12)

8:51 21 (1+20)

…

any idea?

Thanks

search all event after specific string

count

eval

field extraction

lookup

metadata

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation

search all event after specific string

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.