Archive
Highlighted

help to build the query using abstract command

Motivator

base query | regex field= "XXX(?.)" | stats count by regularexpressionvalue

this query displaying 5 lines but want only the first lines

how to get using abstract maxlines=1

Tags (1)
0 Karma
Highlighted

Re: help to build the query using abstract command

SplunkTrust
SplunkTrust

Try

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value | head 1
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: help to build the query using abstract command

Motivator

it wont work..it provide table with one result

0 Karma
Highlighted

Re: help to build the query using abstract command

SplunkTrust
SplunkTrust

Isn't that what you asked for? ("want only the first lines") If you want more than one line, change the "1" to the desired number.

If it's something else you seek, please clarify the question.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: help to build the query using abstract command

Motivator

Actually i have regular expression and displaying the value
that value have 5 lines. i want to reduce that using the abstract command
how to do that

base query | regex field= "XXX(?.)" | stats count by regularexpressionvalue

regularexpressionvalue count
5 lines 4
3 lines 8

0 Karma
Highlighted

Re: help to build the query using abstract command

SplunkTrust
SplunkTrust

The abstract command is for text, not stats.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: help to build the query using abstract command

Motivator

Could you please modify the same command without stats and substitute abstract

0 Karma
Highlighted

Re: help to build the query using abstract command

SplunkTrust
SplunkTrust

base query | regex field= "XXX*(?.*)" | abstract maxlines=1

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: help to build the query using abstract command

Motivator

what will it do?
it not providing the answer i expected

0 Karma
Highlighted

Re: help to build the query using abstract command

SplunkTrust
SplunkTrust

What answer are you expecting? What exactly are you trying to do? You insist on using abstract, but perhaps that is not the way to accomplish your goal.

---
If this reply helps you, an upvote would be appreciated.
0 Karma