Solved: How can I pass a variable to the tail command?

terryloar · ‎12-09-2014

...
| tail 200

works fine.
...
| eval tail_value=200
| tail tail_value

throws this error:
Error in 'tail' command: The number of results must be a positive number.

I've used tokens as the tail argument but a simple variable is not recognized. For example:
...
| tail $token_from_dropdown$

works.

We've written a cumbersome work-around, but I know I'm missing the simple solution.

Thanks.

jhupka · ‎12-10-2014

One possibility is to get the dynamic value via a subsearch:

index=_internal | tail [ | stats count | eval search=10 | fields search ]

That will effectively expand to a search that looks like this:

 index=_internal | tail ((10))

So in your case just come up with a subsearch that dynamically obtains your value.

jhupka · ‎12-10-2014

One possibility is to get the dynamic value via a subsearch:

index=_internal | tail [ | stats count | eval search=10 | fields search ]

That will effectively expand to a search that looks like this:

 index=_internal | tail ((10))

So in your case just come up with a subsearch that dynamically obtains your value.

terryloar · ‎12-10-2014

Good, simple solution. Thanks.

How can I pass a variable to the tail command?