Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Head command

SplunkSN
Loves-to-Learn Everything
‎10-23-2023 09:53 AM

Hi All,

 

Splunk "head" command by default retrieves top 10 columns and 10 results. may i know if we can control the number of columns to be retrieved.

index= <Splunk query>| timechart span=15m count by dest_domain usenull=f useother=f | head 15

e.g.

_time|column1|...............................................................|coulmn15
1

2

-

-

15

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-24-2023 01:09 AM

@SplunkSN  as @richgalloway says, the head command does not limit the columns/fields retrieved, it simply takes the first n results, so in your timechart case, it will return the earliest 15 rows of your timechart, so effectively 15 rows of 15 minute spans.

if you want to control the highest count of the dest_domain, you can use a where clause in the timechart, like this

| timechart span=15m count by dest_domain usenull=f useother=f where count in top10

which will show you the 10 dest_domain values that have the highest count.

 

0 Karma
Reply

_JP
Contributor
‎10-23-2023 10:31 AM

Are you interested in leaving out dest_domain values that don't have high counts?  A real simple way to approach it is to "pre-count" the dest_domain using eventstats, and limit just those that had more than a particular threshold (in this case 100) with the where command:

 

index= <Splunk query>
| eventstats count by sourcetype
| where count>100
| timechart span=15m count by dest_domain usenull=f useother=f | head 15

 

Also, when you think about how Splunk is running these commands, you might visualize it running these commands over and over your data...like several for-loops one right after another.  That's what it does.  That's what it is optimized for...it's a bit counterintuitive compared to databases where you are trying to limit full-scans of things.  The distributed architecture of Splunk is built for this.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 10:02 AM

To be pedantic, Splunk doesn't have "columns" in the DBA sense.  We call them "fields".

The head command returns all fields in the first n results.  The fields to return can be controlled with the fields command.

index= <Splunk query>
| fields _time column1 column2 ... column15
| timechart span=15m count by dest_domain usenull=f useother=f 
| head 15

In this case, however, head is unnecessary because timechart can do the same thing.

index= <Splunk query>
| fields _time column1 column2 ... column15
| timechart limit=15 span=15m count by dest_domain usenull=f useother=f

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...