I have a line that prints
2/20/13 6:45:45.000 PM [2013-02-20 18:45:45] FATAL
so that is ok, but what i really want to see is a couple of lines above or bellow that hit.
Does splunk have something similar to grep -A or grep -B or do I have to extract the time variable into a lookup table and then run another search looking for hits around that time stamp?
I am hoping something exists for that, thanks
In addition to Show Source, check out this entry in the Splunk wiki:
Thank you all. The problem is that in a interval of 1 second I have too many results. If I ever find a similar function I will post in this questions.
That approach might work with streamstats as well. Tag your desired events with eval foo = 1, use streamstats with a certain window to sum up foo, and only keep events with sum(foo) > 0.
Would it be possible to use a transaction to get X number of events before the identified event? Like;
...| transaction sourcetype endswith=FATAL maxevents=10 maxspan=1s
Since we're going backwards in time, it ought to be possible to find that "FATAL" and count 10 more events. Or is that just another way of doing stuff inefficiently?
/K
If you need a shorter interval you could modify earliest and latest fields of localize down to the millisecond.
In addition to Show Source, check out this entry in the Splunk wiki:
The short answer is there's really no good way of doing this in Splunk. There are more or less convoluted ways, but no easy and intuitive. Sadly.
That looks complicated - consider http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/localize
Have you tried "Show Source" in the Event Menu? The Event Menu is the blue box with a down-arrow that sits next to the timestamp and data for each event.