topic Re: How to read middle events from the event list? in Splunk Search

How to read middle events from the event list?

Rajkumarkbm — Thu, 15 Feb 2018 06:51:47 GMT

I am having n number of events but want to read 3 and 4th record.

Eg:
2018-02-09 ABCD 1234 5678
2018-02-09 EFGH 1334 9978
2018-02-08 ABCD 1234 6678
2018-02-08 EFGH 1324 7778
2018-02-07 ABCD 1254 5178
2018-02-07 EFGH 1384 5978

Out of the above kind of records I have to pick the 3rd and 4th event only.

Head and Tail commands will give the first and last n number of events but how to pick middle/in-between events.

Re: How to read middle events from the event list?

493669 — Thu, 15 Feb 2018 06:59:25 GMT

Try this run anywhere search:

|makeresults|eval _raw="2018-02-09 ABCD 1234 5678"
|append[|makeresults|eval _raw="2018-02-09 EFGH 1334 9978"]
|append[|makeresults|eval _raw="2018-02-08 ABCD 1234 6678"]
|append[|makeresults|eval _raw="2018-02-08 EFGH 1324 7778"]
|append[|makeresults|eval _raw="2018-02-07 ABCD 1254 5178"]
|append[|makeresults|eval _raw="2018-02-07 EFGH 1384 5978"]|makemv _raw delim=" "
|eval field3= mvindex(_raw,2), field4=mvindex(_raw,3)

Re: How to read middle events from the event list?

Rajkumarkbm — Thu, 15 Feb 2018 07:06:58 GMT

If I am having n number of events this will not help and moreover there wont be any hard coded so is there any other way to access those events.

Re: How to read middle events from the event list?

493669 — Thu, 15 Feb 2018 07:13:53 GMT

have you tried like this:

<base search giving events>|makemv _raw delim=" "
 |eval field3= mvindex(_raw,2), field4=mvindex(_raw,3)

What type of hard coding are you saying?

Re: How to read middle events from the event list?

Rajkumarkbm — Thu, 15 Feb 2018 07:20:19 GMT

Yes, I have tried this but it is not working as expected. I need to extract 3rd and 4th row or 5th and 6th row not the column.

Re: How to read middle events from the event list?

HiroshiSatoh — Thu, 15 Feb 2018 08:21:09 GMT

I do not know the standard of middle
I think a little adjustment is necessary, but how about such a search sentence?

| makeresults        |eval Date="2018-02-09",Value1="ABCD",Value2="1234",Value3="5678"
 |append[|makeresults|eval Date="2018-02-09",Value1="EFGH",Value2="1334",Value3="9978"]
 |append[|makeresults|eval Date="2018-02-08",Value1="ABCD",Value2="1234",Value3="6678"]
 |append[|makeresults|eval Date="2018-02-08",Value1="EFGH",Value2="1324",Value3="7778"]
 |append[|makeresults|eval Date="2018-02-07",Value1="ABCD",Value2="1254",Value3="5178"]
 |append[|makeresults|eval Date="2018-02-07",Value1="EFGH",Value2="1384",Value3="5978"]
 |eval number=1| accum  number| eventstats max(number) as max,median(number) as median
 |eval Ref=floor(max/3)|where number>Ref and number<=median

Re: How to read middle events from the event list?

LHAYNES020 — Mon, 06 Aug 2018 15:55:08 GMT

It's a tad clunky, but as long as you want to sort by _time, there's a way to do it with streamstats:

| eval low=3 
| eval high=4 
| streamstats count as NewToOld 
| head(NewToOld<=high) 
| reverse 
| streamstats count as OldToNew 
| head(OldToNew<=high-low+1) 
| reverse

Streamstats will basically index your events for you and then through a little mathematical manipulation, you can use head and tail (or in this case, reverse & head) to chop off either end of the results leaving only the desired middle results. Note that this will only work if you're looking for the middle results by the order Splunk found them (which is the same as _time as long as you don't have any appended results).