All Apps and Add-ons

Search to view one _raw event for each result

browncardigan
Path Finder

I'm in the process of evaluating our log sources to figure out what we should be keeping and how to parse the data to get the results we need.

As an example, looking at Exchange logs, there's an event_id field with results like

RECEIVE
SUBMIT
SEND
DELIVER
AGENTINFO
FAIL
DROP

I want to view one or two raw events for each of the event_id values to see if they're significant enough to keep and/or parse in our searches.

Is there a way to do this? I've tried searching in Splunk Answers but haven't found any questions similar to this one - apologies if I've missed it.

0 Karma
1 Solution

browncardigan
Path Finder

Can't figure out how to select a comment as an answer, but it was provided by @renjith.nair:

For multiple results per event_id:
"your base" | top 10 _raw by event_id

Or just the first result:
"your base" | first(_raw) as raw by event_id

View solution in original post

0 Karma

browncardigan
Path Finder

Can't figure out how to select a comment as an answer, but it was provided by @renjith.nair:

For multiple results per event_id:
"your base" | top 10 _raw by event_id

Or just the first result:
"your base" | first(_raw) as raw by event_id

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@browncardigan ,

Are you looking for something similar to below ?

"your base search"|stats first(_raw) as _raw by event_id
Happy Splunking!

browncardigan
Path Finder

That's a neat workaround, but if possible I'd prefer to get a bigger sample size for each event_id. It doesn't look like either first() or last() take any arguments - I don't suppose you'd know how to get around that?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

"your base" | top 10 _raw by event_id ?

where 10 can be replaced by any number

Happy Splunking!

browncardigan
Path Finder

Ah, yeah that worked perfectly, thanks so much for your help!

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...