I have defined a transaction based on a JobID and I want to list the last N transactions. How can I do this??
sourcetype=stomp | transaction field-list jobID startswith=(eventtype=Begin) endswith=(eventtype=End) unifyends=true
What I eventually want to do is track some stats over time for the last 10 transactions. For example, total number of bytes copied, average data rate, etc.
Thank you!
You can use tail command to get the last N events from your search. So try something like this
sourcetype=stomp | transaction field-list jobID startswith=(eventtype=Begin) endswith=(eventtype=End) unifyends=true | tail 10 | ...your aggregation commans on these 10 results...
Update
Need to "head" instead of "tail" here as Splunk events are sorted reverse chronological.
sourcetype=stomp | transaction field-list jobID startswith=(eventtype=Begin) endswith=(eventtype=End) unifyends=true | head 10 | ...your aggregation commans on these 10 results...
You can use tail command to get the last N events from your search. So try something like this
sourcetype=stomp | transaction field-list jobID startswith=(eventtype=Begin) endswith=(eventtype=End) unifyends=true | tail 10 | ...your aggregation commans on these 10 results...
Update
Need to "head" instead of "tail" here as Splunk events are sorted reverse chronological.
sourcetype=stomp | transaction field-list jobID startswith=(eventtype=Begin) endswith=(eventtype=End) unifyends=true | head 10 | ...your aggregation commans on these 10 results...
Thanks. That got me there, although what I want is head 10, not tail. Tail gave me the oldest 10 transactions instead of the newest.
Yup... Got confused with "Last" word. I've been using UNIX tail command to get the last 5 lines almost whole day today. Updated the answer.