Solved: How can I make Splunk stop searching after it find...

rlough · ‎02-02-2015

Hey there!

I have a query that will always only return one result. This result will be different depending on the input from a dashboard, but no matter the input the number of results will be either zero or one.

Is there a way to have Splunk stop querying after it finds this result? I'm searching through a lot of data so it doesn't make sense to keep searching after finding what I wanted. This is using the table command.

aweitzman · ‎02-02-2015

Use the head command prior to the table command:

...your search... | head 1 | table...

See http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Head for a description of the head command.

View solution in original post

aweitzman · ‎02-02-2015

Use the head command prior to the table command:

...your search... | head 1 | table...

See http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Head for a description of the head command.

rlough · ‎02-02-2015

Oh wow, I was putting the head command at the end. Thanks!

How can I make Splunk stop searching after it finds a set number of results?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms