Splunk Search

How can I search and return only the first occurrence of a string?


I have a simple search that goes:

sessionID=UNIQUESESSIONID "connected to "

This gives me the full log or event line that contains the phrase "connected to " as I'll need to see that whole event line/log line. However, at times I can get multiple occurrences of this line, but I only need to see just one of them. Is there something I can add at the end of my search to show only the first result in the log that meets that criteria? How about something where I can pipe in that just gives one occurrence of my search?

Tags (3)
0 Karma


Just add | head 1 after your search...

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!