Usage of Splunk commands : TAIL
Usage of Splunk commands : TAIL is as follows :
- Head command returns the last N number of results in the search order.
- The events are returned in reverse order, starting at the end of the result set.
- If no limit is specified by default it shows the last 10 results starting at the end of the result set.
Find below the skeleton of the usage of the command “tail” in SPLUNK :
tail [ <N> ]
Example 1:
index=_internal NOT file="*sch*" | table file | dedup file | tail
Result :
Explanation:
In the above Query, “file” is the existing field name in the “_internal” index.
In the result set it is showing last 10 file names in the “file” column.Becasue we haven’t given the limit with “tail” command so by default it will show the last 10 values as a result in the search order.
*********************************************************************************
Example2:
index=_internal NOT file="*sch*" | table file | dedup file | tail 8
Result :
Explanation :
In the above Query, “file” is the existing field name in the “_internal” index.
In the result set it is showing last 8 file names in the “file” column. Because we have given N=8 with “tail” command it will show the last 8 values as a result in the search order .
Now you can effectively utilize “tail” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : TAIL
HAPPY SPLUNKING !!
