Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to include a few events from the log prior to the event that triggered the alert?

splunkIT
Splunk Employee
Splunk Employee
‎04-05-2017 03:55 PM

I would like to setup a scheduled alert which includes the event that triggers the alert, plus a few events prior the "main" event.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ruski88
Engager
‎04-05-2017 04:18 PM

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified. 

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

View solution in original post

Reply
Solved! Jump to solution
Solution

Ruski88
Engager
‎04-05-2017 04:18 PM

I was able to make the search below work so that when the event that triggered the alert ran, it would gather the last 5 events prior to the alert event within the same index & source specified. 

<Root_Search> | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search <Root_Search> starttimeu=$marks$ endtimeu=$marke$ | head <number_of_events_to_go_back> | reverse"

EXAMPLE:

index=_internal source=*splunkd.log* component=SearchScheduler | head 1 
| eval marke=_time+1, marks=marke-60
| map search="search index=_internal source=*splunkd.log* starttimeu=$marks$ endtimeu=$marke$ | head 6  | reverse

This will pull the last time splunk had seen an event from search:index=_internal source=splunkd.log component=SearchScheduler along with the last 5 events prior within "index=_internal source=splunkd.log"

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...