Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem of choosing the line number from a report

abhayneilam
Contributor
‎01-30-2013 10:19 PM

Hi,

I have a report generated by SPLUNK , but I want to remove the first 5 lines and rest of the lines will be my output, how Do I do that, I am doing the following :

I am taking the count first, how many lines are there in the file ( Ex:- 1000 )
Then I am doing 1000-5=995 and Then ...|tail 995

But this is no feasible( what will happen if count is too huge and in the generic case )

Please help me regarding this , also if I want to fetch the record such as record no 10 to 20 , then what should be done.. we have kind of "sed" command in Shell Scripting to do that

Please help

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 12:29 AM

One way to achieve arbitrary selection of rows from your report would be to number them with streamstats and then filter based on the row number. Together with the count of rows you should be able to remove specific row counts from either end, or cut out windows like your 10 to 20.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 12:29 AM

One way to achieve arbitrary selection of rows from your report would be to number them with streamstats and then filter based on the row number. Together with the count of rows you should be able to remove specific row counts from either end, or cut out windows like your 10 to 20.

Reply
Solved! Jump to solution

Ayn
Legend
‎01-31-2013 03:48 AM

Yes, it does. That's why martin had it as the first command in his example. That was only an EXAMPLE - you need to tailor this to your situation.

0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎01-31-2013 03:37 AM

it is working fine thanks , but "gentimes" is not working, it is saying "gentimes" must be the first command ..

0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎01-31-2013 03:24 AM

yaa I had a look at "steamstats" docs, but it wasn't that much clear, lemme try out this one...

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎01-31-2013 03:16 AM

Did you look at the streamstats docs?

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 03:14 AM

Consider this "report":

| gentimes start=-1 increment=5m | streamstats count as row | eventstats count as total

It has two relevant fields, row and total, based on those two you can specify loads of conditions. For example, if you want to have all the lines from row 3 on you do this:

... | where row >= 3

If you want to have rows 10 through 20 you do this:

... | where row >= 10 AND row <= 20

If you want the bottom 10 rows you do this:

... | where (total - row) <= 10
0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎01-31-2013 03:03 AM

Can I please have one small example how to do that ?

lets say I have an output

1 A
2 B
3 C
4 D
5 E
I want to display fron 3 C to End , but I dont know the total lines of a file

Please help with this example

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...