Splunk Search

How to include a few events from the log prior to the event that triggered the alert?

splunkIT
Splunk Employee
Splunk Employee

I would like to setup a scheduled alert which includes the event that triggers the alert, plus a few events prior the "main" event.

Tags (1)
0 Karma
1 Solution

Ruski88
Engager

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified.

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

View solution in original post

Ruski88
Engager

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified.

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...