Usage of Splunk commands : HEAD
Usage of Splunk commands : HEAD is as follows
- Head command returns the first N number of results in the search order.
- There are two types of limit those can be used with head command.
- If no limit is specified by default it shows the first 10 results in the search order
Find below the skeleton of the usage of the command “head” in SPLUNK :
head [ <N> | (<eval-expression>) ] [ limit = <int> ] []
Example 1:
index=_internal | table file | dedup file | head
Result :
Explanation:
In the above Query, “file” is the existing field name in the “_internal” index. In the result set it is showing first 10 file names in the “file” column.Becasue we haven’t given the limit with “head” command so by default it will show the first 10 values as a result in the search order.
*******************************************************************************
Example 2:
index=_internal | table file | dedup file | head 5
Result :
Explanation :
In the above Query, “file” is the existing field name in the “_internal” index. In the result set it is showing first 5 file names in the “file” column.Becasue we have given N=5 with “head” command it will show the first 5 values as a result in the search order.
****************************************************************************
Example 3 :
index=_internal | table file | dedup file | head limit=7
Result :
Explanation :
In the above Query, “file” is the existing field name in the “_internal” index. In the result set it is showing first 7 file names in the “file” column. Because we have given limit=7 with head command it will show the first 7 values as a result in the search order.
*******************************************************************************
Example 4 :
index=_internal | table file,date_minute | dedup file,date_minute | head ( date_minute > 50 )
Result :
Explanation :
In the above Query, “file” and “date_minute” are two existing field name in the “_internal” index. It will return the results until the value in date_minute <= 50 .
Now you can effectively utilize “head” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : HEAD
Happy Splunking !!