Re: How can I limit the number of events returned ...

nidhiagrawal · ‎12-16-2015

I'm using Splunk to build some of the basic metrics. Events which are returned run in millions. I have to look for daily average response time, and have to run this search over a week of time. What is the option to limit my search to specific number of events say 100,000? Changing the time duration is not an option.

jmallorquin · ‎12-16-2015

Can you show us what kind of metrics do you want to make and a example of events?

sundareshr · ‎12-16-2015

How do you want to limit them, if not my time. Options are you could use keywords in your search to return only events that match. Or you could return top x like this .. | head x

sundareshr · ‎12-16-2015

If you're looking to find random events,see if this post gives you any ideas

https://answers.splunk.com/answers/141810/finding-random-events.html

nidhiagrawal · ‎12-16-2015

Does head have an option to pick random events. if I choose 100,000 then it will be first of those. But ideally i would like to scatter the events during the given time range.

jmallorquin · ‎12-16-2015

Hi,

sundareshr is right but the problem of use | head x is that you truncate the search so you can't have accurate results

How can I limit the number of events returned from a search?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

How can I limit the number of events returned from a search?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions