Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I return specific results using head and t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an alert currently set to return a full set of results based upon the stats command which sometimes might number as many as 30 rows. I would like to split this alert into 3 separate alerts to be emailed. The first will return results 1 through 5. The second 6 through 10. The third will show 11+.
The first alert is easy, I just have to add | head 5 to the end.
The second is where I have problems. The idea is to do something like | head 10 | tail 5, which works great when there are 10 or more results. However it falls apart if there are <10 results. I don't want the same result to be duplicated on multiple alerts. Unfortunately the tail command will not take a variable as an argument so I need to figure out how to pass it an integer based upon the total number of results in the search.
Another post suggested to pass it the results of a subsearch, but I get mixed results. The issue appears to be that the subsearch is evaluating several times as the events are being located and therefore the value keeps changing. The final value is somehow not evaluating to the number that I expect and therefore not executing the tail command properly.
For example, where stats is returning 8 results, this code addition is returning 5 results where I expect 3.
| head 10
| tail [ | stats count as numrec | eval search=if(numrec < 10, abs( numrec - 5), 5) | fields search ]
| reverse
If there's other methods of achieving what I need, I'm open to ideas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what about using stream stats to essentially create a row number?
... | streamstats count as row_num | where row_num <=5 | fields - row_num
... | streamstats count as row_num | where row_num >5 AND row_num <=10 | fields - row_num
... | streamstats count as row_num | where row_num >10 | fields - row_num
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the above search and it worked for me. I applied it to 8 results and 3 were returned ...
Have you tried breaking down the subsearch to see if each section is returning what you expect?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I output numrec and search to a table, I get 8 and 3 respectively which is what I expect. However, the values change as the events are pouring in and I suspect this is confusing the tail command somehow. Ideally I'd like that subsearch to only run once at the very end. Maciep's solution works a little more gracefully anyways.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what about using stream stats to essentially create a row number?
... | streamstats count as row_num | where row_num <=5 | fields - row_num
... | streamstats count as row_num | where row_num >5 AND row_num <=10 | fields - row_num
... | streamstats count as row_num | where row_num >10 | fields - row_num
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, this worked perfectly without having to make major changes to my existing code! Thanks.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
