Solved: Is there any way to limit the number of search res...

emiliavanderwer · ‎07-20-2018

When searching on an index, you can pipe to "head 100" and retrieve 100 results.

index=my_index cookie* | head 100

However, when searching over a data model, how do you tell it to get only 100 results?

| tstats count from datamodel=my_dm where g.message=cookie* by g.id

renjith_nair · ‎07-21-2018

@emiliavanderwerf,

Did you try

| tstats count from datamodel=my_dm where g.message=cookie* by g.id|head 100

Below works for me

|tstats count from datamodel=test by sourcetype|head 2

Where test is index=_internal

---
What goes around comes around. If it helps, hit it with Karma 🙂

woodcock · ‎07-21-2018

The exact same way:

| tstats count from datamodel=my_dm where g.message=cookie* by g.id | head 100

Or, more productively,

| tstats count from datamodel=my_dm where g.message=cookie* by g.id | sort 100 - count

renjith_nair · ‎07-21-2018

@emiliavanderwerf,

Did you try

| tstats count from datamodel=my_dm where g.message=cookie* by g.id|head 100

Below works for me

|tstats count from datamodel=test by sourcetype|head 2

Where test is index=_internal

---
What goes around comes around. If it helps, hit it with Karma 🙂

Is there any way to limit the number of search results in a data model?