fetch between 2000 to 3000 events in query

pasokkum · ‎09-02-2016

Hi,

In splunk query 'head' command is used to get the first 'particular' number of events. I want to get the events between the specified numbers. My query should be something like index=myindex sourcetype=mysorcetype | head (2000 to 3000)
Is there any command to get the events range?

sundareshr · ‎09-02-2016

This is another option

index=myindex sourcetype=mysourcetype | streamstats count | where count>=2000 AND count<=3000 | fields - count

Runals · ‎09-02-2016

I don't think so but could be wrong. An option that comes to mind, though not particularly elegant, is

index=myindex sourcetype=mysourcetype | head 3000 | tail 1000

Here you'd get the top 3k and then with the tail command get the bottom 1k

pasokkum · ‎09-02-2016

Thanks Runals..! | head 3000 | tail 1000 is taking more time to load the results results when compared to | head 1000..

Runals · ‎09-02-2016

yeah I'm guessing tail will result in longer times as Splunk has to read 'through' all of the events to get to the bottom/end of the result set (highly technical description there). A somewhat more inelegant but potentially faster solution might be

... | head 300 | reverse | head 1000 | reverse

the point of the numbers though was to get to items number 2k through 3k from your original request. In my environment I did a search on Windows Security Event Viewer logs from a very large index (tens of millions of Windows audit logs). The head / tail solution took 4.9s. The head/reverse/head/reverse method took 2.9s /shrug.

fetch between 2000 to 3000 events in query

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes