Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem of choosing the line number from a report

abhayneilam
Contributor
‎01-30-2013 10:19 PM

Hi,

I have a report generated by SPLUNK , but I want to remove the first 5 lines and rest of the lines will be my output, how Do I do that, I am doing the following :

I am taking the count first, how many lines are there in the file ( Ex:- 1000 )
Then I am doing 1000-5=995 and Then ...|tail 995

But this is no feasible( what will happen if count is too huge and in the generic case )

Please help me regarding this , also if I want to fetch the record such as record no 10 to 20 , then what should be done.. we have kind of "sed" command in Shell Scripting to do that

Please help

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 12:29 AM

One way to achieve arbitrary selection of rows from your report would be to number them with streamstats and then filter based on the row number. Together with the count of rows you should be able to remove specific row counts from either end, or cut out windows like your 10 to 20.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 12:29 AM

One way to achieve arbitrary selection of rows from your report would be to number them with streamstats and then filter based on the row number. Together with the count of rows you should be able to remove specific row counts from either end, or cut out windows like your 10 to 20.

Reply
Solved! Jump to solution

Ayn
Legend
‎01-31-2013 03:48 AM

Yes, it does. That's why martin had it as the first command in his example. That was only an EXAMPLE - you need to tailor this to your situation.

0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎01-31-2013 03:37 AM

it is working fine thanks , but "gentimes" is not working, it is saying "gentimes" must be the first command ..

0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎01-31-2013 03:24 AM

yaa I had a look at "steamstats" docs, but it wasn't that much clear, lemme try out this one...

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎01-31-2013 03:16 AM

Did you look at the streamstats docs?

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 03:14 AM

Consider this "report":

| gentimes start=-1 increment=5m | streamstats count as row | eventstats count as total

It has two relevant fields, row and total, based on those two you can specify loads of conditions. For example, if you want to have all the lines from row 3 on you do this:

... | where row >= 3

If you want to have rows 10 through 20 you do this:

... | where row >= 10 AND row <= 20

If you want the bottom 10 rows you do this:

... | where (total - row) <= 10
0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎01-31-2013 03:03 AM

Can I please have one small example how to do that ?

lets say I have an output

1 A
2 B
3 C
4 D
5 E
I want to display fron 3 C to End , but I dont know the total lines of a file

Please help with this example

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...