How do you pull data from a previous event?

muzicman61 · ‎01-08-2019

So here is what my Splunk data looks like... these 4 events are consistently sequential.

›  1/7/19 1:02:11.211 PM    2019-01-07 14:02:11.211|Testing rule - Result:True
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|Testing rule - Condition:   (FifoCallBacks <= 1) && (OpMode == QSPEAK) 
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|Testing rule - Description: VHT_Test Rule
host = WTSFCCMY  sourcetype = VHT:HPIQ:VHT_QueueMonitorService 

›  1/7/19 1:02:11.208 PM    2019-01-07 14:02:11.208|rule:  VHT_Test
host = WTSXXXXX  sourcetype = VHT:HPIQ:VHT_QueueMonitorService

Once I find an event with ( results:True) then I need the pull the rule name in the last event (VHT_Test)

So to clarify, when I find "result:True" I need to pull the rule name from the event 3 events prior.

Really lost on how to do this.

Thanks!

skoelpin · ‎01-08-2019

Use streamstats window=1 to grab from the nearest "neighbor"

https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Streamstats

How do you pull data from a previous event?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...