Solved: Re: How to print results excluding the last line i...

perlish · ‎08-07-2015

Hi all,

I want to print results excluding the last line.
In Linux, I can use head -n -1
but in Splunk, the head command only accepts positive numbers.

woodcock · ‎08-07-2015

You can do it like this:

... | reverse | streamstats current=t count AS SERIAL | where SERIAL > 1 | reverse | fields - SERIAL

somesoni2 · ‎08-07-2015

Here are the options that you can try is this. Again it depends on what search you're using,( how complex, how big, current performance.

Option 1

Your current search giving N results | head [Your current search again giving N results| stats count | eval count=count-1 | return $count]

Option 2

your current search giving N results | eval sno=1 | accum sno | eventstats max(sno) as max | where max!=son | fields - max,sno

woodcock · ‎08-07-2015

It is max!=sno, not max!=son, right?

DavidHourani · ‎06-05-2019

yeah, it is...you know nothing jon sno

woodcock · ‎08-07-2015

You can do it like this:

... | reverse | streamstats current=t count AS SERIAL | where SERIAL > 1 | reverse | fields - SERIAL

woodcock · ‎08-07-2015

Had a typo: was SERIAL > 0 but is corrected now to SERIAL > 1.

DavidHourani · ‎08-02-2016

Good job man, you rock !

perlish · ‎08-09-2015

Yes. You solved my issue. Thanks very much.

How to print results excluding the last line in Splunk like "head -n -1" in LInux?