Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to get the first 10 events based on sourcetype

Runals
Motivator
‎04-17-2014 05:41 AM

I'm trying to get the first 10 or so events per sourcetype but the methodology is escaping me. You can't simply use the head command. I also am wanting all fields in the event so can't do something like | top 10 by sourcetype as that doesn't specify any fields. Any thoughts?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kaufmanm
Communicator
‎04-17-2014 07:25 AM

You can use the dedup command to only keep 10 of each sourcetype, returning the full events:

* | dedup 10 sourcetype

View solution in original post

Reply
Solved! Jump to solution
Solution

kaufmanm
Communicator
‎04-17-2014 07:25 AM

You can use the dedup command to only keep 10 of each sourcetype, returning the full events:

* | dedup 10 sourcetype
Reply
Solved! Jump to solution

Runals
Motivator
‎04-17-2014 05:02 PM

Outstanding! thanks much.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...