Suppose my log indexed in splunk looks like:
1
...
50 abracadabra
...
Now, I do a search for abracadabra. splunk will show me 1 event i.e. line number 50.
How I see the lines before and after line 50 to get more context. Can I 'jump' to line 50 like we can jump to any line in vim.
Thank you.
BEWARE! Read the warnings on the map
command in the documentation (it can be as all-consuming of resources as real-time searches are). This answer assumes that you literally meant what you wrote: that all these events are in the same file. Assuming that you have 1 event/line (almost certainly true), you can do something like this:
index=alwaysUseAnIndexValue sourcetype=alwaysUseSourcetypeValuesToo abracadabra
| eval serial=_serial
| map search="search index=$index$ sourcetype=$sourcetype$ source=$source$ | eval serial=$serial$"
This gives you ALL lines, so you will have to do a bit more work after that, but this is the main/hard part.
BEWARE! Read the warnings on the map
command in the documentation (it can be as all-consuming of resources as real-time searches are). You can do something similar like this:
index=alwaysUseAnIndexValue sourcetype=alwaysUseSourcetypeValuesToo abracadabra
| eval earliest=_time - 1
| eval lastet = _time + 1
| eval serial=_serial
| map search="search index=$index$ sourcetype=$sourcetype$ earliest=$earliest$ latest=$latest$ | eval serial=$serial$"
This will give you 1 second of events before, everything in the same second, and 1 second of events after, and an indication of which source event ( serial
) against which the events match.
This is how I would approach this as well.
grep command in linux has -A and -B arguments for this. So, I was wondering if splunk has something similar.
So all these lines are coming to splunk as separate events (each line is event)? If your search returns less events and you want to check surrounding events, you can use Event Actions-> Show source. You can also use methods describe in below links to look for neighboring events.
https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html
I am trying to do the opposite to this query - how do I get the returned Event to show only lines which match the query - not adjacent lines?