Thanks this was helpful.
I am not trying something further:
Lets take the case again but change Log 1's data:
Log 1:
12/5/13 3:28:14.000 john is a dog
12/5/13 3:29:14.000 peter is a dog
12/5/13 3:30:14.000 paul is a cat
12/5/13 3:30:14.000 paul likes chocolates
12/5/13 3:28:14.000 john likes chocolates
Log 2:
12/5/13 3:30:14.000 Name:peter
12/5/13 3:29:14.000 Name:mary
I need the output of my query to allow me to extract the next N lines after 'peter is a dog'
For Example:
If I want the next 2 lines after 'peter is a dog'
I want to first do a join as mentioned in your solution above and get the line "peter is a dog"
Then I want to get the next two lines as well
So the output should be:
peter is a dog
paul is a cat
paul likes chocolates
I tried the following query but it did not help:
source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\peter3.txt" |transaction startswith=[search source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\peter3.txt" | rex "(?i)^(?:[^ ]* ){2}(?P [^ ]+)" | join Name [search source="C:\Users\vinorama.ST-USERS\Work\Splunk\peter_paul\mary3.txt" | rex "Name:(? [^ ]+)" | table Name]] maxevents=3
... View more