Hi there!
I'm looking at this previous question here:
I have a similar question. I have a search that brings back 8 events. They are numbered 1 through 8. My search is pretty simple and looks like this:
source="/opt/log/blahblahblah/epp_server/epp_server.log" sessionID="[10.9.231.111:59671:130.250.4.141:1000-whoohoo;]"
From this sessionID I searched for I got back 8 events. It will always be 8 events no matter what sessionID I search for.
So with that in mind I'd like to do a search sorta of like this:
[gnovak@yoogieboogie]$ seq 1 10
1
2
3
4
5
6
7
8
9
10
[gnovak@yoogieboogie]$ seq 1 10 | grep 5
5
[gnovak@yoogieboogie]$ seq 1 10 | grep -B 3 5
2
3
4
5
[gnovak@yoogieboogie]$ seq 1 10 | grep -A 3 5
5
6
7
8
I'd like to do a search in splunk on the actual "number" of the event returned. Is it possible to do that or would I have to make an eventtype for something that happens on that numbered event?
Have you tried streamstats to create a sequence number?
"your search" | streamstats count as seq by sessionID | search seq > 3 AND seq < 8
Have you tried streamstats to create a sequence number?
"your search" | streamstats count as seq by sessionID | search seq > 3 AND seq < 8
No I'll give this a shot!