Usage of Splunk commands  : HEAD  

Usage of Splunk commands : HEAD is as follows

  • Head command returns the first N number of results in the search order.
  • There are two types of limit those can be used with head command.
  • If no limit is specified by default it shows the first 10 results in the search order

 

 Find below the skeleton of the usage of the command “head” in SPLUNK :

  head [ <N> | (<eval-expression>) ] [ limit = <int> ] []

 Example 1:

index=_internal 
| table file 
| dedup file 
| head

 

Result :

 head1

 Explanation:

In the above Query, “file” is the existing field name in the “_internal” index. In the result set it is showing first 10 file names in the “file” column.Becasue we haven’t given the limit with “head” command so by default it will show the first 10 values as a result in the search order.

*******************************************************************************

Example 2:

index=_internal
| table file
| dedup file
| head 5

 

Result :

 head2

 Explanation :

In the above Query, “file” is the existing field name in the “_internal” index. In the result set it is showing first 5 file names in the “file” column.Becasue we have given N=5 with “head” command it will show the first 5 values as a result in the search order.

****************************************************************************

Example 3 :

index=_internal 
| table file 
| dedup file 
| head limit=7

 

Result :

head3

Explanation :

In the above Query, “file” is the existing field name in the “_internal” index. In the result set it is showing first 7 file names in the “file” column. Because we have given  limit=7 with head command it will show the first 7 values as a result in the search order.

*******************************************************************************

Example 4 :

index=_internal
| table file,date_minute
| dedup file,date_minute
| head ( date_minute > 50 )

 

Result :

head4 

Explanation :

In the above Query, “file” and “date_minute”  are two existing field name in the “_internal” index. It will return the results until the value in date_minute <= 50 .

 

Now you can effectively utilize “head”  command in  your daily use to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk commands  : HEAD

 

Happy Splunking !!

 

 

Advertisements