Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a search to get only the first 3 events for each Eventcode from Windows event logs?

basanthp
Path Finder
‎11-11-2015 09:06 PM

I am running the following search to get events from Windows event logs for the past month. I want to restrict the search to extract only first 3 events for each event code. Any pointers please?

index=xxxx sourcetype=yyyy host=zzzz | table _time,host,EventCode,EventCodeDescription,_raw

Required output:
EventCode1
EventCode1
EventCode1
EventCode2
EventCode2
EventCode2
EventCode3
EventCode3
EventCode3
.
.
.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-11-2015 09:18 PM

this will work.

index=xxxx sourcetype=yyyy host=zzzz |streamstats count as i by EventCode | search i<4 | fields host,EventCode,EventCodeDescription

streamstats goes through your rows and with each distinct EventCode treated separately, it puts a field called "i" on each row whose value is the number of rows that have had that EventCode value on them. ie, for EventCode=12 , the first such row gets i=1, second gets i=2 etc. Then we just let it go through the whole set, and then use search i<4 to throw away everything that wasn't the first three representative events for the given code.

http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Streamstats

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-11-2015 09:18 PM

this will work.

index=xxxx sourcetype=yyyy host=zzzz |streamstats count as i by EventCode | search i<4 | fields host,EventCode,EventCodeDescription

streamstats goes through your rows and with each distinct EventCode treated separately, it puts a field called "i" on each row whose value is the number of rows that have had that EventCode value on them. ie, for EventCode=12 , the first such row gets i=1, second gets i=2 etc. Then we just let it go through the whole set, and then use search i<4 to throw away everything that wasn't the first three representative events for the given code.

http://docs.splunk.com/Documentation/Splunk/6.3.1/SearchReference/Streamstats

0 Karma
Reply
Solved! Jump to solution

basanthp
Path Finder
‎11-11-2015 10:25 PM

Thanks for the query. But i get only 3 rows in total and I need 3 rows for each eventcode. Will go through the above link to understand the streamstats function.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-11-2015 10:33 PM

Hmm. Well I would verify that there is in fact more than one EventCode for that combination of index source and host, by running this index=xxxx sourcetype=yyyy host=zzzz | stats count by EventCode

If there's more than one EventCode value in the set then the streamstats+search combination in my answer should be working. Here's another related example you can play with yourself that uses Splunk's index=_internal data.

index=_internal | head 10000 | streamstats global=f count as i by sourcetype | search i<4 | sort sourcetype

In the most recent 10,000 events it returns the 3 most recent events for every sourcetype.

0 Karma
Reply
Solved! Jump to solution

basanthp
Path Finder
‎11-11-2015 10:53 PM

Yes. working fine now. I changed the fields command to table command and i get the expected results. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...