- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can we fetch only 8 rows from a lookup?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can we fetch only 8 rows from a lookup?
Our top user ended up with the following query -
| inputlookup WHERE
[ | makeresults count=8 | streamstats count | eval WEEKSTART=relative_time($MYWEEKPICKER$,"-" + tostring(count - 1) + "w@w0")
| table WEEKSTART ]| rename WEEKSTART AS _time
The intention of makeresults count=8 is to create a dummy eight rows and by doing it, limit the results to only 8 rows starting with $MYWEEKPICKER$. Can we do it in any other way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are looking to retrieve only 8 rows from a lookup table, and those 8 rows each contain a timestamp? So something else is setting a value to the token $MYWEEKPICKER$, and you want to find 8 rows whose timestamp is the same as that value? Or more recent than that value?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-- and you want to find 8 rows whose timestamp is the same as that value
Of the data in the lookup file, we are trying to find out the eight previous dates available based the value from the drop-down.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your timestamps are in a field called timestamp_field, try this:
|inputlookup mylookup | sort - timestamp_field | where timestamp_field<=$MYWEEKPICKER$ | head 8 | fields timestamp_field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could always put a | head 8 command in the mix to restrict it to the first 8 results of the lookup file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's exactly the problem as we need to find the starting point and go back 8 rows.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps you could you use a subsearch to find the data you are interested in | fields x and then pass those to the outer search?
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
