https://community.splunk.com/t5/Splunk-Search/How-to-enumerate-the-events-in-my-search-results/m-p/169546#M48463 <P>You can use the accum command to simulate this sort of effect.</P> <P>Like this:</P> <PRE> | eval n = 1 | accum n </PRE> <P>which will create a new field called "n" that will contain the incremental event number in the order of your search results.</P> <P>you can then list out the events and this line number in a table like this:</P> <PRE> | table n _raw </PRE> <P>Also, if you want to list it out like you would see in a text editor, where the earliest event is at the top, and the latest event is at the bottom, then use the reverse command first, like this:</P> <PRE> | reverse | eval n = 1 | accum n | table n _raw </PRE> Mon, 04 Aug 2014 15:11:29 GMT maverick 2014-08-04T15:11:29Z https://community.splunk.com/t5/Splunk-Search/How-to-enumerate-the-events-in-my-search-results/m-p/169545#M48462 <P>When I view my log file in my favorite text editor(s), I can switch to a mode where the editor lists out the line numbers long the side.</P> <P>After I search my events in Splunk, is there a similar way to enumerate the events so that I get a line number next to each event?</P> Mon, 04 Aug 2014 15:05:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-enumerate-the-events-in-my-search-results/m-p/169545#M48462 maverick 2014-08-04T15:05:41Z https://community.splunk.com/t5/Splunk-Search/How-to-enumerate-the-events-in-my-search-results/m-p/169546#M48463 <P>You can use the accum command to simulate this sort of effect.</P> <P>Like this:</P> <PRE> | eval n = 1 | accum n </PRE> <P>which will create a new field called "n" that will contain the incremental event number in the order of your search results.</P> <P>you can then list out the events and this line number in a table like this:</P> <PRE> | table n _raw </PRE> <P>Also, if you want to list it out like you would see in a text editor, where the earliest event is at the top, and the latest event is at the bottom, then use the reverse command first, like this:</P> <PRE> | reverse | eval n = 1 | accum n | table n _raw </PRE> Mon, 04 Aug 2014 15:11:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-enumerate-the-events-in-my-search-results/m-p/169546#M48463 maverick 2014-08-04T15:11:29Z https://community.splunk.com/t5/Splunk-Search/How-to-enumerate-the-events-in-my-search-results/m-p/169547#M48464 <P>Also, there is an internal field called <CODE>_serial</CODE> that should already be there (but it is semi-invisible) but it starts at <CODE>0</CODE> instead of <CODE>1</CODE>. Try this (should be the quickest and most efficient solution):</P> <PRE><CODE>... | eval serial=_serial | table serial _raw </CODE></PRE> Thu, 17 Sep 2015 15:04:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-enumerate-the-events-in-my-search-results/m-p/169547#M48464 woodcock 2015-09-17T15:04:49Z