New Splunk Book Excerpt: Finding Events After Other Events

EXCERPT FROM “EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE (SPL) PRIMER AND COOKBOOK”. Kindle/iPad/PDF available for free, and hardcopy available for purchase at Amazon.

Finding Events After Other Events


You need to get the first 3 events after a particular event (for example, a login event) — for the events related to a particular user — but there is no well-defined ending event.


Given the following ideal transaction that starts with a login action:

          [1] 10:11:12 userid=root action=login
          [2] 10:11:13 userid=root action=”cd /”
          [3] 10:11:14 userid=root action=”rm -rf *”
          [4] 10:11:15 userid=root server=”echo lol”

The obvious search choice is to use transaction that starts with the login action:

          ... | transaction userid startswith="(action=login)" maxevents=4

The problem is that you will get transactions that don’t have action=login. Why? The startswith option does not tell transaction to return only transactions that actually begin with the string you’re supplying. Rather it tells transaction that when it encounters a line that matches the startswith directive, it is the beginning of a new transaction. However, transactions will also be made for different values of userid, regardless of the startswith condition.

To avoid this, add a filtering search command after the transaction search above:

... | search action=login

The transactions returned will start with action=login and include the next three events for the userid.

Note: If there are less than three events between two logins, the transaction will be smaller than 4 events. The transaction command adds an eventcount field to each transaction, which you can then use to further filter transactions.

David Carasso

Posted by