Splunk Search

How can I search and return only the first occurrence of a string?

ferza
Explorer

I have a simple search that goes:

sessionID=UNIQUESESSIONID "connected to "

This gives me the full log or event line that contains the phrase "connected to " as I'll need to see that whole event line/log line. However, at times I can get multiple occurrences of this line, but I only need to see just one of them. Is there something I can add at the end of my search to show only the first result in the log that meets that criteria? How about something where I can pipe in that just gives one occurrence of my search?

Tags (3)
0 Karma

musskopf
Builder

Just add | head 1 after your search...

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!