Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Equivalent of grep -A and grep -B

borisalves
Path Finder
‎02-20-2013 06:49 PM

I have a line that prints
2/20/13 6:45:45.000 PM [2013-02-20 18:45:45] FATAL

so that is ok, but what i really want to see is a couple of lines above or bellow that hit.

Does splunk have something similar to grep -A or grep -B or do I have to extract the time variable into a lookup table and then run another search looking for hits around that time stamp?

I am hoping something exists for that, thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

View solution in original post

0 Karma
Reply
Solved! Jump to solution

borisalves
Path Finder
‎03-04-2013 10:28 AM

Thank you all. The problem is that in a interval of 1 second I have too many results. If I ever find a similar function I will post in this questions.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:41 AM

That approach might work with streamstats as well. Tag your desired events with eval foo = 1, use streamstats with a certain window to sum up foo, and only keep events with sum(foo) > 0.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-05-2013 12:30 AM

Would it be possible to use a transaction to get X number of events before the identified event? Like;

...| transaction sourcetype endswith=FATAL maxevents=10 maxspan=1s

Since we're going backwards in time, it ought to be possible to find that "FATAL" and count 10 more events. Or is that just another way of doing stuff inefficiently?

/K

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2013 12:12 AM

If you need a shorter interval you could modify earliest and latest fields of localize down to the millisecond.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 07:38 PM

In addition to Show Source, check out this entry in the Splunk wiki:

http://wiki.splunk.com/Community:FindingSurroundingEvents

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-21-2013 02:15 AM

The short answer is there's really no good way of doing this in Splunk. There are more or less convoluted ways, but no easy and intuitive. Sadly.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2013 01:17 AM

That looks complicated - consider http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/localize

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-20-2013 07:17 PM

Have you tried "Show Source" in the Event Menu? The Event Menu is the blue box with a down-arrow that sits next to the timestamp and data for each event.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...