https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665973#M228475 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249850">@SplunkSN</a>&nbsp; as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;says, the head command does not limit the columns/fields retrieved, it simply takes the first n results, so in your timechart case, it will return the&nbsp;<STRONG>earliest</STRONG> 15 rows of your timechart, so effectively 15 rows of 15 minute spans.</P><P>if you want to control the highest count of the dest_domain, you can use a where clause in the timechart, like this</P><LI-CODE lang="markup">| timechart span=15m count by dest_domain usenull=f useother=f where count in top10</LI-CODE><P>which will show you the 10 <STRONG>dest_domain</STRONG>&nbsp;values that have the highest count.</P><P>&nbsp;</P> Tue, 24 Oct 2023 08:09:11 GMT bowesmana 2023-10-24T08:09:11Z https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665895#M228462 <P>Hi All,</P><P>&nbsp;</P><P>Splunk "head" command by default retrieves top 10 columns and 10 results. may i know if we can control the number of columns to be retrieved.</P><P>index= &lt;Splunk query&gt;| timechart span=15m count by dest_domain usenull=f useother=f | head 15</P><P>e.g.</P><P>_time|column1|...............................................................|coulmn15<BR />1</P><P>2</P><P>-</P><P>-</P><P>15</P> Mon, 23 Oct 2023 16:53:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665895#M228462 SplunkSN 2023-10-23T16:53:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665897#M228463 <P>To be pedantic, Splunk doesn't have "columns" in the DBA sense.&nbsp; We call them "fields".</P><P>The <FONT face="courier new,courier">head</FONT> command returns all fields in the first <FONT face="courier new,courier">n</FONT> results.&nbsp; The fields to return can be controlled with the <FONT face="courier new,courier">fields</FONT> command.</P><LI-CODE lang="markup">index= &lt;Splunk query&gt; | fields _time column1 column2 ... column15 | timechart span=15m count by dest_domain usenull=f useother=f | head 15</LI-CODE><P>In this case, however, <FONT face="courier new,courier">head</FONT> is unnecessary because <FONT face="courier new,courier">timechart</FONT> can do the same thing.</P><LI-CODE lang="markup">index= &lt;Splunk query&gt; | fields _time column1 column2 ... column15 | timechart limit=15 span=15m count by dest_domain usenull=f useother=f </LI-CODE><P>&nbsp;</P> Mon, 23 Oct 2023 17:02:25 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665897#M228463 richgalloway 2023-10-23T17:02:25Z https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665900#M228464 <P>Are you interested in leaving out <EM>dest_domain&nbsp;</EM>values that don't have high counts?&nbsp; A real simple way to approach it is to "pre-count" the <EM>dest_domain</EM> using <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventstats" target="_self">eventstats</A>, and limit just those that had more than a particular threshold (in this case 100) with the <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where" target="_self">where</A> command:</P><P>&nbsp;</P><LI-CODE lang="markup">index= &lt;Splunk query&gt; | eventstats count by sourcetype | where count&gt;100 | timechart span=15m count by dest_domain usenull=f useother=f | head 15</LI-CODE><P>&nbsp;</P><P>Also, when you think about how Splunk is running these commands, you might visualize it running these commands over and over your data...like several for-loops one right after another.&nbsp; That's what it does.&nbsp; That's what it is optimized for...it's a bit counterintuitive compared to databases where you are trying to limit full-scans of things.&nbsp; The distributed architecture of Splunk is built for this.</P> Mon, 23 Oct 2023 17:31:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665900#M228464 _JP 2023-10-23T17:31:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665973#M228475 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249850">@SplunkSN</a>&nbsp; as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;says, the head command does not limit the columns/fields retrieved, it simply takes the first n results, so in your timechart case, it will return the&nbsp;<STRONG>earliest</STRONG> 15 rows of your timechart, so effectively 15 rows of 15 minute spans.</P><P>if you want to control the highest count of the dest_domain, you can use a where clause in the timechart, like this</P><LI-CODE lang="markup">| timechart span=15m count by dest_domain usenull=f useother=f where count in top10</LI-CODE><P>which will show you the 10 <STRONG>dest_domain</STRONG>&nbsp;values that have the highest count.</P><P>&nbsp;</P> Tue, 24 Oct 2023 08:09:11 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Head-command/m-p/665973#M228475 bowesmana 2023-10-24T08:09:11Z