Community:FindingSurroundingEvents

From Splunk Wiki

Jump to: navigation, search

Searching for surrounding events

There situations where a user may want to see all events that occurred before and/or after a specific event. To do this, one can use the start and end time parameters to set the boundaries for this search.

Background

The search to find surrounding events can be broken down into 3 parts. To run this search you must be able to do the following:

1. search for the original event

2. set the timeframe for your surrounding events search

3. search for the surrounding events

Setting the time frame

This is done using the starttimeu and endtimeu search parameters. These are not officially supported in 3.3.x (see release notes) via the web interface, but are supported via the command line. They do appear to work in the web UI, but you should try them via CLI to ensure it works correctly.

  • use the "eval" command to set the starttimeu and endtimeu values (documented in 3.1 docs, not in 3.3)
  • use the "fields" command to return the values as arguments from the subsearch
  • use the "stats min(_time) as starttimeu" or "stats min(_time) as endtimeu"


Final Step: add a wildcard search in combination with the subsearch for the starttimeu and endtimeu values.

  • Example Command:

* [search sourcetype="splunksource" splunk_event | eval starttimeu=_time | eval endtimeu=_time+900 | fields + starttimeu endtimeu]

  • If you have multiple events, use the min() operator to pull the first time value:

* [search sourcetype="splunksource" splunk_event | stats min(_time) as starttimeu | eval endtimeu=starttimeu+900]

  • To find events 15 minutes before and after, create an extra variable called foovalue to set the starttimeu to 900 seconds ago:

* [search sourcetype="splunksource" splunk_event | stats min(_time) as eventstarttime | eval starttimeu=eventstarttime-900 | eval endtimeu=eventstarttime+900 | fields + starttimeu endtimeu]

More details

To set a time boundary, you would use the "starttimeu" and "endtimeu" field values. For our situation, we would use the "eval" command to assign a variable to the raw time value (_time) of the event being searched out. To set a the starttimeu variable, you would issue the following command:

| eval starttimeu=_time

You could similarly set the endtimeu value by substituting it for starttimeu in the above command. Thankfully, we can issue mathematical operations as well. So we can adjust the raw time value (in unix time) by adding a "+<value>" or "-<value>", where <value> is a time in seconds. To alter the raw _time value by 15 minutes (900 seconds) in the future, we would issue:

| eval endtimeu=_time+900

To limit a search to a 15 minute timeframe, we would want to set the starttimeu and endtimeu values. This means that we would use the eval operation twice, and set it differently each time. The command to limit our window to 15 minutes (900 seconds) would be as follows (don't forget to use a pipe):

| eval starttimeu=_time | eval endtimeu=_time+900

So the above commands take the raw _time value your search has returned, and created two values: starttimeu and endtimeu. We now want to return these fields, to the next search (as arguments). We do this by calling the fields we just created/set:

| fields + starttimeu endtimeu

Note that the above command will only function in combination with the two previous eval commands, since you need to set those two as variables. The complete command:

| eval starttimeu=_time | eval endtimeu=_time+900 | fields + starttimeu endtimeu

Try adding this to your basic search and see what is returned (you should see two values in unix time, called starttimeu and endtimeu).


Now that we have a timeframe for our search, we just need to set this as a subsearch and combine it with a wildcard. To do this, you must call the "search" command and enclose it in square brackets. You will then AND this subsearch command with a wildcard to call all of the events within that time frame. Note that you do not need to specify AND, as that is on by default.

* [search sourcetype="splunksource" splunk_event | eval starttimeu=_time | eval endtimeu=_time+900 | fields + starttimeu endtimeu]

Where your original event search was for the splunksource sourcetype and the splunk_event event.

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk