Usage of Splunk commands  : TAIL  

Usage of Splunk commands : TAIL is as follows :

  • Head command returns the last N number of results in the search order.
  • The events are returned in reverse order, starting at the end of the result set.
  • If no limit is specified by default it shows the last 10 results starting at the end of the result set.

 

Find below the skeleton of the usage of the command “tail” in SPLUNK :

 tail [ <N> ]

 Example 1:

index=_internal NOT file="*sch*"
| table file
| dedup file
| tail 

Result : 

 tail1

 Explanation:

In the above Query, “file” is the existing field name in the “_internal” index.

In the result set it is showing last 10 file names in the “file” column.Becasue we haven’t given the limit with “tail” command so by default it will show the last 10 values as a result in the search order.

*********************************************************************************

Example2:

index=_internal NOT file="*sch*"
| table file
| dedup file
| tail 8

Result :

tail2

Explanation :

In the above Query, “file” is the existing field name in the “_internal” index.

In the result set it is showing last 8 file names in the “file” column. Because we have given N=8 with “tail”  command it will show the last 8  values as a result in  the search order .

 

Now you can effectively utilize “tail”  command in  your daily use to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk commands  : TAIL

 

HAPPY SPLUNKING !!

 

 

Advertisements