Solved: How to make Splunk stop searching after it finds a...

rockyrush · ‎07-24-2017

I have tried head 100, but it seems like it does a regular search and then gives me 100 results because it takes the same amount of time as a full search. I am looking for a way not to search 180 million entries when I only need 100 or so results.

rroberts · ‎07-24-2017

Have you tried event sampling?
https://www.function1.com/2016/08/event-sampling-new-splunk-6-4-feature

View solution in original post

jplumsdaine22 · ‎07-24-2017

What is your search? head should prevent a full search from being executed, unless it comes after a command that requires the data set to come back to the search head

rockyrush · ‎07-24-2017

Thanks so much! It was after commands which collected all the search terms

rroberts · ‎07-24-2017

Have you tried event sampling?
https://www.function1.com/2016/08/event-sampling-new-splunk-6-4-feature

rockyrush · ‎07-24-2017

Not exactly what I was hoping for. I want the latest 100 then I want to to stop searching entirely and just display the results it already has.

How to make Splunk stop searching after it finds a certain amount of results?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life