- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I get more context around my search result ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I get more context around my search result while searching in splunk?
Suppose my log indexed in splunk looks like:
1
...
50 abracadabra
...
Now, I do a search for abracadabra. splunk will show me 1 event i.e. line number 50.
How I see the lines before and after line 50 to get more context. Can I 'jump' to line 50 like we can jump to any line in vim.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BEWARE! Read the warnings on the map command in the documentation (it can be as all-consuming of resources as real-time searches are). This answer assumes that you literally meant what you wrote: that all these events are in the same file. Assuming that you have 1 event/line (almost certainly true), you can do something like this:
index=alwaysUseAnIndexValue sourcetype=alwaysUseSourcetypeValuesToo abracadabra
| eval serial=_serial
| map search="search index=$index$ sourcetype=$sourcetype$ source=$source$ | eval serial=$serial$"
This gives you ALL lines, so you will have to do a bit more work after that, but this is the main/hard part.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BEWARE! Read the warnings on the map command in the documentation (it can be as all-consuming of resources as real-time searches are). You can do something similar like this:
index=alwaysUseAnIndexValue sourcetype=alwaysUseSourcetypeValuesToo abracadabra
| eval earliest=_time - 1
| eval lastet = _time + 1
| eval serial=_serial
| map search="search index=$index$ sourcetype=$sourcetype$ earliest=$earliest$ latest=$latest$ | eval serial=$serial$"
This will give you 1 second of events before, everything in the same second, and 1 second of events after, and an indication of which source event ( serial ) against which the events match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is how I would approach this as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
grep command in linux has -A and -B arguments for this. So, I was wondering if splunk has something similar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So all these lines are coming to splunk as separate events (each line is event)? If your search returns less events and you want to check surrounding events, you can use Event Actions-> Show source. You can also use methods describe in below links to look for neighboring events.
https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to do the opposite to this query - how do I get the returned Event to show only lines which match the query - not adjacent lines?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
