Splunk Search

How to read middle events from the event list?

Rajkumarkbm
Engager

I am having n number of events but want to read 3 and 4th record.

Eg:
2018-02-09 ABCD 1234 5678
2018-02-09 EFGH 1334 9978
2018-02-08 ABCD 1234 6678
2018-02-08 EFGH 1324 7778
2018-02-07 ABCD 1254 5178
2018-02-07 EFGH 1384 5978

Out of the above kind of records I have to pick the 3rd and 4th event only.

Head and Tail commands will give the first and last n number of events but how to pick middle/in-between events.

Tags (1)
0 Karma

LHAYNES020
Explorer

It's a tad clunky, but as long as you want to sort by _time, there's a way to do it with streamstats:

| eval low=3 
| eval high=4 
| streamstats count as NewToOld 
| head(NewToOld<=high) 
| reverse 
| streamstats count as OldToNew 
| head(OldToNew<=high-low+1) 
| reverse

Streamstats will basically index your events for you and then through a little mathematical manipulation, you can use head and tail (or in this case, reverse & head) to chop off either end of the results leaving only the desired middle results. Note that this will only work if you're looking for the middle results by the order Splunk found them (which is the same as _time as long as you don't have any appended results).

0 Karma

HiroshiSatoh
Champion

I do not know the standard of middle
I think a little adjustment is necessary, but how about such a search sentence?

| makeresults        |eval Date="2018-02-09",Value1="ABCD",Value2="1234",Value3="5678"
 |append[|makeresults|eval Date="2018-02-09",Value1="EFGH",Value2="1334",Value3="9978"]
 |append[|makeresults|eval Date="2018-02-08",Value1="ABCD",Value2="1234",Value3="6678"]
 |append[|makeresults|eval Date="2018-02-08",Value1="EFGH",Value2="1324",Value3="7778"]
 |append[|makeresults|eval Date="2018-02-07",Value1="ABCD",Value2="1254",Value3="5178"]
 |append[|makeresults|eval Date="2018-02-07",Value1="EFGH",Value2="1384",Value3="5978"]
 |eval number=1| accum  number| eventstats max(number) as max,median(number) as median
 |eval Ref=floor(max/3)|where number>Ref and number<=median
0 Karma

493669
Super Champion

Try this run anywhere search:

|makeresults|eval _raw="2018-02-09 ABCD 1234 5678"
|append[|makeresults|eval _raw="2018-02-09 EFGH 1334 9978"]
|append[|makeresults|eval _raw="2018-02-08 ABCD 1234 6678"]
|append[|makeresults|eval _raw="2018-02-08 EFGH 1324 7778"]
|append[|makeresults|eval _raw="2018-02-07 ABCD 1254 5178"]
|append[|makeresults|eval _raw="2018-02-07 EFGH 1384 5978"]|makemv _raw delim=" "
|eval field3= mvindex(_raw,2), field4=mvindex(_raw,3)
0 Karma

Rajkumarkbm
Engager

If I am having n number of events this will not help and moreover there wont be any hard coded so is there any other way to access those events.

0 Karma

493669
Super Champion

have you tried like this:

<base search giving events>|makemv _raw delim=" "
 |eval field3= mvindex(_raw,2), field4=mvindex(_raw,3)

What type of hard coding are you saying?

0 Karma

Rajkumarkbm
Engager

Yes, I have tried this but it is not working as expected. I need to extract 3rd and 4th row or 5th and 6th row not the column.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...