Solved: Re: Is it possible to limit the number of events r...

jithinmathew · ‎08-23-2018

Hi all,

I wish to make a dashboard that sort of shows an End to End flow of transactions. For this, I need to be using multiple indexes and source types. I only want to display the top 2 or 5 events grabbed from any index.

For example:

Index = foo
Index = bar

I want to grab the last 2 events from foo and the last 2 events from bar putting them both into the same table view.

adonio · ‎08-23-2018

maybe like this:

 index = foo 
| head 2 
| append [ search index = bar | head 2 ]
| stats count by _raw index
| table _raw index

hope it helps

View solution in original post

adonio · ‎08-23-2018

maybe like this:

 index = foo 
| head 2 
| append [ search index = bar | head 2 ]
| stats count by _raw index
| table _raw index

hope it helps

jithinmathew · ‎08-23-2018

Hi Adonio,

Thanks for the suggestion.

Is there anyway to append that to this clause:

index="Foo" OR index="bar" source="FOO" OR source="BAR" .

I have tried to do this:

(index=foo source="FOO" | head 2) OR (index=bar source="BAR" | head 2) but this did not seem to work 😞

adonio · ‎08-24-2018

not sure what you are trying to do here ... can you elaborate?

Is it possible to limit the number of events recieved from a particular index?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life