Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I display the 10 event entries prior to and post a specified keyword search?

Steve_A200
Path Finder
‎05-12-2023 07:38 AM

Hi,

In the logs file, we are capturing java error is multiple entries, so in order for me to see the entire error set, I need to see the events/records (10 used here as an example) that are immediately prior-to and post the keyword that is being search.

 

Currently, when I use the below SPL, I get only the events that contain the word "java" which is good, but I want to see the 10 records (i.e. log entry lines) prior to this "java" record and 10 entries post this "java" record".  The records prior-to and post may not have any keyword "java" in them, but I still want to see those records as part of the result set being displayed.

 

| from datamodel:"xyz"
| fields host source _time
| where like(_raw,"%java%")
| table host source _raw

 

Is there a way to display the 10 records/events prior-to and post the keyword being searched from the _raw field?

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 09:29 AM

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse

View solution in original post

Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎05-12-2023 09:38 AM

Thank you ITWhisperer, that indeed did the trick.  I sandwiched your search between the fields and table  commands.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 08:09 AM

Try something like this

| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as post_java by java
| eval post_java=if(post_java==0,null(),post_java)
| reverse
| streamstats count(eval(error=="java")) as java
| streamstats reset_on_change=t count as pre_java by java
| eval pre_java=if(pre_java==0,null(),pre_java)
| where pre_java <= 10 OR post_java <= 10
| reverse
0 Karma
Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎05-12-2023 08:35 AM

Hi ITWhisperer,

Unfortunately, that didn't do the trick. 

2 issues:

- it did not list events that contained the keyword being search i.e. like "java"

- it listed a total of 20 events, I was hoping to list every event that contains the word "java" +/- 10 record, rather than just a single event +/- 10 events.

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-12-2023 09:29 AM

Obviously, the key is getting the eval correct - you could try searchmatch

| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as post_java by java
| reverse
| streamstats count(eval(searchmatch("java"))) as java
| eval java=if(java==0,null(),java)
| streamstats reset_on_change=t count as pre_java by java
| where pre_java <= 10 OR post_java <= 10
| reverse
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...