What is the search range given for beginning and e...

thomasreggi · ‎01-29-2018

Given the following log lines:

Alpha
Beta
Gamma
Hello
World
Soup

I would like to query ` | first="Beta" | last="World" and get the following:

Beta
Gamma
Hello
World

niketn · ‎01-29-2018

@thomasreggi, Ideally you would need some correlation id to stitch events together i.e.

 <YourBaseSearch>
| transaction <some_id_or_ids> startswith="Beta" endswith="World"

There are several event correlation methods in Splunk like stats, transaction, lookup, append, appendcols, join, multisearch, union etc.. Based on use cases one or more can be applied: http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation

For your use case, transaction seems better fit. However, like stated earlier you would need some correlation id. Following is a run anywhere search where I have created id="myid1" as the id for transaction. PS: Query till reverse generate dummy data. The reverseis required only in the example not for real-time data.

| makeresults
| eval data="Alpha,Beta,Gamma,Hello,World,Soup"
| makemv data delim="," 
| mvexpand data
| rename data as _raw 
| reverse
| eval id="myid1"
| transaction id startswith="Beta" endswith="World"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

What is the search range given for beginning and end query?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!