Splunk Search

Tail and head commands for two different values on same field

Allampally
Path Finder

Hi Experts,

I have a requirement. I have a field called 'exception' and it has two values. one as 'open file' and another one is 'half open file'.
Exceptions starts with 'half open file' and these events are typically more than 50 and then follows with 'open file'
and this count might be anything more than 100. This count is in just span of 5mins.
Now, my requirement is to display both values for 'open file' and 'half open file'. My output rows should be exactly 10 rows.
'half open file' events should be displayed with tail 5 and 'open file' should display with head 5.
That equals both count to 10 events.

0 Karma

woodcock
Esteemed Legend

Like this

| makeresults count=50 | eval exception="open file"
| streamstats count AS _time
| append [| makeresults count=100 | eval exception="half open file"| streamstats count AS _time
| eval _time = _time + _time % 2]
| sort 0 - _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| multireport [ search exception="half open file" | head 5 ] [ search exception="open file" | tail 5 ]
0 Karma

Allampally
Path Finder

Hi Wood,
Thanks for looking into it. The count which i have mntioned 50 and 100 are not fixed. Hence, i don't want to use makeresults and also i have a search query to catch the exception. I made changes to your query according to my requirement but seems it is not working. It is not producing exactly 10 events.

0 Karma

woodcock
Esteemed Legend

My solution is to add the last line to your existing search. Did you do that? The other stuff is there to PROVE that the last line works (it does).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...