Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I search and return only the first occurrence of a string?

ferza
Explorer
‎02-18-2015 07:59 PM

I have a simple search that goes:

sessionID=UNIQUESESSIONID "connected to "

This gives me the full log or event line that contains the phrase "connected to " as I'll need to see that whole event line/log line. However, at times I can get multiple occurrences of this line, but I only need to see just one of them. Is there something I can add at the end of my search to show only the first result in the log that meets that criteria? How about something where I can pipe in that just gives one occurrence of my search?

Tags (3)
0 Karma
Reply

musskopf
Builder
‎02-18-2015 09:55 PM

Just add | head 1 after your search...

Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...