EXCERPT FROM “EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE (SPL) PRIMER AND COOKBOOK”. Kindle/iPad/PDF available for free, and hardcopy available for purchase at Amazon.
Finding Events After Other Events
You need to get the first 3 events after a particular event (for example, a login event) — for the events related to a particular user — but there is no well-defined ending event.
Given the following ideal transaction that starts with a login action:
 10:11:12 userid=root action=login  10:11:13 userid=root action=”cd /”  10:11:14 userid=root action=”rm -rf *”  10:11:15 userid=root server=”echo lol”
The obvious search choice is to use transaction that starts with the login action:
... | transaction userid startswith="(action=login)" maxevents=4
The problem is that you will get transactions that don’t have action=login. Why? The startswith option does not tell transaction to return only transactions that actually begin with the string you’re supplying. Rather it tells transaction that when it encounters a line that matches the startswith directive, it is the beginning of a new transaction. However, transactions will also be made for different values of userid, regardless of the startswith condition.
To avoid this, add a filtering search command after the transaction search above:
... | search action=login
The transactions returned will start with action=login and include the next three events for the userid.
Note: If there are less than three events between two logins, the transaction will be smaller than 4 events. The transaction command adds an eventcount field to each transaction, which you can then use to further filter transactions.