you can use eventstats and streamstat to make this happen:
your base search | eventstats count as totalCount| streamstats count as line_no | eval showlines=case(totalCount>3,10, 1=1, 1) | where line_no<=showlines
replace 10 with the number of lines that you want to see for >3
@surekhasplunk, you can try following run anywhere search
Step 1) I have a Text box for your to mock the number of results. If not numeric or empty, it will defaults to 10.
Step 2) I have used the following dummy base search (post-processing to apply head
command in subsequent search) to create N-rows as per value selected in text box. You can put your current search here. PS: $tokRows$
defaults to 10.
| makeresults
| eval data=$tokRows$
| eval data=mvrange(0,data)
| mvexpand data
Step 3) Add <done>
search event handler to set the filter token number for head command based on default search event handler token $job.resultCount$
. PS: I have added additional condition for values between 3 to 10 it will show those many results. Only if greater than 10 it will show 10 results.
<done>
<condition match="$job.resultCount$<=3">
<set token="tokFilter">1</set>
</condition>
<condition match="$job.resultCount$>3 AND $job.resultCount$<=10 ">
<set token="tokFilter">$job.resultCount$</set>
</condition>
<condition>
<set token="tokFilter">10</set>
</condition>
</done>
Following is the complete run anywhere dashboard.
<form>
<label>Filter results based on search result count</label>
<fieldset submitButton="false">
<input type="text" token="Rows" searchWhenChanged="true">
<label>Number of Row to create</label>
<default>10</default>
<change>
<eval token="tokRows">if(match(value, "^[0-9]+$"),$value$, 10)</eval>
</change>
</input>
</fieldset>
<search id="baseSearch">
<query>| makeresults
| eval data=$tokRows$
| eval data=mvrange(0,data)
| mvexpand data</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<done>
<condition match="$job.resultCount$<=3">
<set token="tokFilter">1</set>
</condition>
<condition match="$job.resultCount$>3 AND $job.resultCount$<=10 ">
<set token="tokFilter">$job.resultCount$</set>
</condition>
<condition>
<set token="tokFilter">10</set>
</condition>
</done>
</search>
<row>
<panel>
<title>Results- $tokRows$ - Filtered- $tokFilter$</title>
<table>
<search base="baseSearch">
<query>
| head $tokFilter$
</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
you can use eventstats and streamstat to make this happen:
your base search | eventstats count as totalCount| streamstats count as line_no | eval showlines=case(totalCount>3,10, 1=1, 1) | where line_no<=showlines
replace 10 with the number of lines that you want to see for >3
Thanks a lot @MonkeyK it worked !!!