1

ON a *nix command-line, you can see relative before-and-after lines while using the grep command :

  grep "abc" -A 2 -B 3

  1. My question: is there any way in Splunk enterprise product to see relative lines when doing a search?

  2. Splunk search supports head and tail. Is there a way to do continuous stream on a Splunk dashboard similar to the -f flag to tail on a *nix command-line?.

warren
  • 28,486
  • 19
  • 80
  • 115
SauriBabu
  • 240
  • 1
  • 9

1 Answers1

1

Even though Splunk once called itself "grep for the datacenter", it's not an implementation of grep.

When events are found they are processed one at a time, so there is no real concept of relative lines/events.

If you use neither head nor tail, then you will get all events (subject to memory and some other limitations).

Is that what you mean by "continuous stream"? If not, what do you mean?

Perhaps a real-time search qualifies as "continuous"?

warren
  • 28,486
  • 19
  • 80
  • 115
RichG
  • 4,202
  • 1
  • 12
  • 23
  • UseCase for above question : When I have searched using a keyword say "error" splunk returns all the matching lines from my application log. But I am interested in knowing what caused this error hence want to view lines printed just before it. In some case wanted to know what lines are logged after lines matching search text. – SauriBabu Nov 28 '20 at 07:16
  • When you search for "error", Splunk returns only the events that contain that string. It's as though other events don't exist. To find events before or after that requires getting the time of the error event and passing that to another search that looks for earlier or later events. Something like this: `index=foo [ search index=foo "error" | stats min(_time) as mintime, max(_time) as maxtime | eval earliest=relative_time(mintime, "-5s"), latest=relative_time(maxtime, "+5s") | fields earliest latest | format]` – RichG Nov 30 '20 at 14:01