Splunk Search

filtering for events occurring seconds before and after a given windows eventID

mikefoti
Communicator

I would like to filter for events that occurred immediately before and after a given windows eventID. For example, if Windows Eventid 1234 occurs every so often, how can I create a filter, or grouping or transaction consisting of just the event with that eventID plus the 2 or 3 event before and after it?

Tags (1)
0 Karma

mikefoti
Communicator

I may be getting close... but would very much appreciate feedback... am I on the right track?

For now my goal has been scaled back to discovering what events occurred on servers 1, 2 & 3 at the same time as the event with eventID=15223. Later I will want to improve this to find events occurring within 1 second of this event.

host="server1" OR host="server2" OR host="server3" [search host="server1" OR host="server2" OR host="server3" winEventVwrEventID="15223" | fields + winEventVwrEventTIME]
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...