How to write a search to show events immediately b...

dbcase · ‎10-17-2016

Hi,

I'm searching through logs and I need to see the events that occur when one field value changes.

Example:
Http status=200 repeats 5000 times, then the Http status changes to 401. I need to see the events immediately before and immediately after the status code change

cmerriman · ‎10-17-2016

you could do a

.... |  streamstats current=f window=1 values(httpStatus) as previousHttpStatus by _time|where previousHttpStatus!=httpStatus

or some variation that would work for your needs

documentation on streamstats
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats

teekayx · ‎10-17-2016

streamstats indeed! if used in conjunction with 'reset_on_change' argument for streamstats, you could locate the events with the value changes.

dbcase · ‎10-18-2016

The Autoregress seems to work great! Although (and I didn't ask for this the first time) is there a way to see the events (lets say 10 events prior and 10 events post) the httpStatus change?

somesoni2 · ‎10-17-2016

Another variation of this approach is using autoregress command (does the same thing but give more cleaner look.)

your base search | autoregress httpStatus as prevHttpStatus |where previousHttpStatus!=httpStatus

How to write a search to show events immediately before and after a certain field value changes?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms