I am having n number of events but want to read 3 and 4th record.
Eg:
2018-02-09 ABCD 1234 5678
2018-02-09 EFGH 1334 9978
2018-02-08 ABCD 1234 6678
2018-02-08 EFGH 1324 7778
2018-02-07 ABCD 1254 5178
2018-02-07 EFGH 1384 5978
Out of the above kind of records I have to pick the 3rd and 4th event only.
Head and Tail commands will give the first and last n number of events but how to pick middle/in-between events.
It's a tad clunky, but as long as you want to sort by _time, there's a way to do it with streamstats:
| eval low=3
| eval high=4
| streamstats count as NewToOld
| head(NewToOld<=high)
| reverse
| streamstats count as OldToNew
| head(OldToNew<=high-low+1)
| reverse
Streamstats will basically index your events for you and then through a little mathematical manipulation, you can use head and tail (or in this case, reverse & head) to chop off either end of the results leaving only the desired middle results. Note that this will only work if you're looking for the middle results by the order Splunk found them (which is the same as _time as long as you don't have any appended results).
I do not know the standard of middle
I think a little adjustment is necessary, but how about such a search sentence?
| makeresults |eval Date="2018-02-09",Value1="ABCD",Value2="1234",Value3="5678"
|append[|makeresults|eval Date="2018-02-09",Value1="EFGH",Value2="1334",Value3="9978"]
|append[|makeresults|eval Date="2018-02-08",Value1="ABCD",Value2="1234",Value3="6678"]
|append[|makeresults|eval Date="2018-02-08",Value1="EFGH",Value2="1324",Value3="7778"]
|append[|makeresults|eval Date="2018-02-07",Value1="ABCD",Value2="1254",Value3="5178"]
|append[|makeresults|eval Date="2018-02-07",Value1="EFGH",Value2="1384",Value3="5978"]
|eval number=1| accum number| eventstats max(number) as max,median(number) as median
|eval Ref=floor(max/3)|where number>Ref and number<=median
Try this run anywhere search:
|makeresults|eval _raw="2018-02-09 ABCD 1234 5678"
|append[|makeresults|eval _raw="2018-02-09 EFGH 1334 9978"]
|append[|makeresults|eval _raw="2018-02-08 ABCD 1234 6678"]
|append[|makeresults|eval _raw="2018-02-08 EFGH 1324 7778"]
|append[|makeresults|eval _raw="2018-02-07 ABCD 1254 5178"]
|append[|makeresults|eval _raw="2018-02-07 EFGH 1384 5978"]|makemv _raw delim=" "
|eval field3= mvindex(_raw,2), field4=mvindex(_raw,3)
If I am having n number of events this will not help and moreover there wont be any hard coded so is there any other way to access those events.
have you tried like this:
<base search giving events>|makemv _raw delim=" "
|eval field3= mvindex(_raw,2), field4=mvindex(_raw,3)
What type of hard coding are you saying?
Yes, I have tried this but it is not working as expected. I need to extract 3rd and 4th row or 5th and 6th row not the column.