how can i search only last 1 million lines of 4 million lined total log file?
Assuming each line in the log file is treated as one event in Splunk:
source="yoursource" | head 1000000
Assuming each line in the log file is treated as one event in Splunk:
source="yoursource" | head 1000000