Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

fetch between 2000 to 3000 events in query

pasokkum
Path Finder
‎09-02-2016 04:31 AM

Hi,

In splunk query 'head' command is used to get the first 'particular' number of events. I want to get the events between the specified numbers. My query should be something like index=myindex sourcetype=mysorcetype | head (2000 to 3000)
Is there any command to get the events range?

Tags (1)
Reply

sundareshr
Legend
‎09-02-2016 06:52 AM

This is another option

index=myindex sourcetype=mysourcetype | streamstats count | where count>=2000 AND count<=3000 | fields - count
Reply

Runals
Motivator
‎09-02-2016 04:39 AM

I don't think so but could be wrong. An option that comes to mind, though not particularly elegant, is

index=myindex sourcetype=mysourcetype | head 3000 | tail 1000

Here you'd get the top 3k and then with the tail command get the bottom 1k

Reply

pasokkum
Path Finder
‎09-02-2016 06:43 AM

Thanks Runals..! | head 3000 | tail 1000 is taking more time to load the results results when compared to | head 1000..

0 Karma
Reply

Runals
Motivator
‎09-02-2016 06:55 AM

yeah I'm guessing tail will result in longer times as Splunk has to read 'through' all of the events to get to the bottom/end of the result set (highly technical description there). A somewhat more inelegant but potentially faster solution might be

... | head 300 | reverse | head 1000 | reverse

the point of the numbers though was to get to items number 2k through 3k from your original request. In my environment I did a search on Windows Security Event Viewer logs from a very large index (tens of millions of Windows audit logs). The head / tail solution took 4.9s. The head/reverse/head/reverse method took 2.9s /shrug.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...