Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you skip the first x rows returned in a se...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ewanbrown
Path Finder
08-10-2018
03:56 AM
Hi,
If I have a query which returns 100 rows I'd like to be able to only get rows 11-100 shown (and if 200 only rows 11-200)
I have looked for an offset command similar to head or tail but I can't see one. Do you know how I could go about this?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishalipaka
Motivator
08-10-2018
04:09 AM
hi @ewanbrown
try like this
| makeresults
| fields - _time
| eval data="A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15 A16 A17 A18"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" " | mvexpand data |streamstats count as result |where result >10 |fields - result
Thanks
Harish
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishalipaka
Motivator
08-10-2018
04:09 AM
hi @ewanbrown
just add this end of your query : |streamstats count as result |where result >10
Thanks
Harish
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ewanbrown
Path Finder
08-10-2018
04:19 AM
Thanks! That works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishalipaka
Motivator
08-10-2018
04:09 AM
hi @ewanbrown
try like this
| makeresults
| fields - _time
| eval data="A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15 A16 A17 A18"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" " | mvexpand data |streamstats count as result |where result >10 |fields - result
Thanks
Harish
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
08-10-2018
04:21 AM
nice idea @harishalipaka!
Get Updates on the Splunk Community!
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...
Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...
Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...
Reduce and Transform Your Firewall Data with Splunk Data Management
Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...
