Show context events just before and after a match

[Crevil]

When an alert fires, it is convenient to see some context events from the same source just before and after the triggering event. Much like the --before-context --after-context flags of grep.

I'm thinking the API could allow for events matching the previous source so:

app=foo | context(before=1, after=1)

would give any events matching app=foo with 1 event just before and after matching anything. (like grep --before-context 1 --after-context 1 foo).

Further more a variant for alerts could be

app=foo  | context("bar", before=1, after=1)

would trigger when an event matches app=foo and contains bar. The result set would contain the triggering event and a single event before and after matching app=foo.

I hope I made myself clear. Otherwise ask 😃

[pmech]

Hi Bjørn, thanks for the input.

This relates to thoughts we have around 'around' (pun intended :)). When you click on an event, you should be able to see the events around that event. Having that capability in alerts makes really good sense. Not sure how to best do the feature, so we will need feedback. Having a context function break a bit with how we normally process events I think, but the idea worth considering. Thanks.

We don't have a timeline for when we will start looking more into this at the moment. It is on our radar though.

[Crevil]

Good good. An around function sounds the same. I just typed what came to my head so the syntax should surely follow the more Humio-like ways. Currently I work around this by using the timeline and loosening the query constraints so it's not urgent at all 😄

[Crevil]

This is released as event context, right? So this issue could be closed?

[mwl]

Exactly. Thanks for bringing this to our attention @Crevil. Always nice being able to close issues 😄