Hi,
In splunk query 'head' command is used to get the first 'particular' number of events. I want to get the events between the specified numbers. My query should be something like index=myindex sourcetype=mysorcetype | head (2000 to 3000)
Is there any command to get the events range?
This is another option
index=myindex sourcetype=mysourcetype | streamstats count | where count>=2000 AND count<=3000 | fields - count
I don't think so but could be wrong. An option that comes to mind, though not particularly elegant, is
index=myindex sourcetype=mysourcetype | head 3000 | tail 1000
Here you'd get the top 3k and then with the tail command get the bottom 1k
Thanks Runals..! | head 3000 | tail 1000 is taking more time to load the results results when compared to | head 1000..
yeah I'm guessing tail will result in longer times as Splunk has to read 'through' all of the events to get to the bottom/end of the result set (highly technical description there). A somewhat more inelegant but potentially faster solution might be
... | head 300 | reverse | head 1000 | reverse
the point of the numbers though was to get to items number 2k through 3k from your original request. In my environment I did a search on Windows Security Event Viewer logs from a very large index (tens of millions of Windows audit logs). The head / tail solution took 4.9s. The head/reverse/head/reverse method took 2.9s /shrug.