https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61809#M7150 <P>not sure if this is what the problem is, but are you explicitly setting the maxvals argument? it has a default value of 100 distinct values to return for each field if you don't set it explicitly. <BR /> also, can you provide the search string you're using and a sample of the data that is working and a sample of what's not? <BR /> also, what do you mean by running the query manually? it's a search command, so you can run it on the commandline if you have the necessary permissions.</P> Thu, 14 Mar 2013 22:23:53 GMT piebob 2013-03-14T22:23:53Z https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61808#M7149 <P>We're using the fieldsummary function in splunk to return the list of fields (as it was designed) for each of our indexes. This works great for almost all our indexes except for our windows snare index. When fieldsummary is run on this index we get all the fields plus each individual log line being returned.</P> <P>Does anyone know how fieldsummary works and if the query can be run manually? and/or if there's some sort of character limitation on fieldsummary that our windows event logs are tripping causing it spew all the log lines when the command is executed?</P> <P>e.g<BR /> index=snare | fieldsummary | table field</P> <P>field <BR /><BR /> Account_Domain <BR /><BR /> Account_For_Which_Logon_Failed <BR /><BR /> Account_Name <BR /><BR /> Account_Whose_Credentials_Were_Used <BR /><BR /> Additional_Information <BR /><BR /> Authentication_Package <BR /><BR /> Caller_Domain <BR /><BR /> Caller_Logon_ID <BR /><BR /> Caller_Process_ID <BR /><BR /> Caller_Process_Name <BR /><BR /> Caller_User_Name <BR /><BR /> CategoryString <BR /><BR /> Certificate_Information <BR /><BR /> Certificate_Issuer_Name <BR /><BR /> Certificate_Serial_Number <BR /><BR /> Certificate_Thumbprint <BR /><BR /> Client_Address <BR /><BR /> Client_Port <BR /><BR /> ComputerName <BR /><BR /> Creator_Process_ID <BR /><BR /> Criticality <BR /><BR /> DataString <BR /><BR /> Detailed_Authentication_Information <BR /><BR /> Domain <BR /><BR /> EventCode <BR /><BR /> EventLog <BR /><BR /> EventLogType <BR /><BR /> Event_Log <BR /><BR /> ExpandedString <BR /><BR /> Failure_Code <BR /><BR /> Failure_Information <BR /><BR /> Failure_Reason <BR /><BR /> Image_File_Name <BR /><BR /> Key_Length <BR /><BR /> Logon_Account <BR /><BR /> Logon_GUID <BR /><BR /> Logon_ID <BR /><BR /> Logon_Process <BR /><BR /> Logon_Type <BR /><BR /> Mar_11_20_08_03_10_200_12_14_YYY0029_xxxxx_xxxxx_com_MSWinEventLog_0_Security_200054_Mon_Mar_11_16_06_18_2013_4624_Microsoft_Windows_Security_Auditing_Ixxxxx_smith_N_A_Success_Audit_YYY0029_xxxxx_xxxxx_com_Logon__An_account_was_successfully_logged_on_____Subject <BR /><BR /> Mar_11_20_08_03_10_200_12_14_YYY0029_xxxxx_xxxxx_com_MSWinEventLog_0_Security_200056_Mon_Mar_11_16_06_18_2013_4624_Microsoft_Windows_Security_Auditing_Ixxxxx_smith_N_A_Success_Audit_YYY0029_xxxxx_xxxxx_com_Logon__An_account_was_successfully_logged_on_____Subject <BR /><BR /> Mar_11_20_08_03_10_200_70_45_YYY45_xxxxx_xxxxx_com_MSWinEventLog_0_Security_123596_Mon_Mar_11_16_06_06_2013_540_Security_somesrvacct_User_Success_Audit_YYY45_Logon_Logoff__Successful_Network_Logon <BR /><BR /> Mar_11_20_08_03_10_200_70_45_YYY45_xxxxx_xxxxx_com_MSWinEventLog_0_Security_123597_Mon_Mar_11_16_06_06_2013_538_Security_somesrvacct_User_Success_Audit_YYY45_Logon_Logoff__User_Logoff <BR /><BR /> Mar_11_20_08_03_10_200_70_45_YYY45_xxxxx_xxxxx_com_MSWinEventLog_0_Security_123598_Mon_Mar_11_16_06_06_2013_576_Security_somesrvacct_User_Success_Audit_YYY45_Logon_Logoff__Special_privileges_assigned_to_new_logon <BR /><BR /> Mar_11_20_08_03_10_200_70_45_YYY45_xxxxx_xxxxx_com_MSWinEventLog_0_Security_123599_Mon_Mar_11_16_06_06_2013_540_Security_somesrvacct_User_Success_Audit_YYY45_Logon_Logoff__Successful_Network_Logon <BR /><BR /> Mar_11_20_08_03_10_200_70_45_YYY45_xxxxx_xxxxx_com_MSWinEventLog_0_Security_123600_Mon_Mar_11_16_06_06_2013_538_Security_somesrvacct_User_Success_Audit_YYY45_Logon_Logoff__User_Logoff <BR /><BR /> Mar_11_20_08_03_10_200_86_180_YYY5686_xxxxx_xxxxx_com_MSWinEventLog_0_Security_2585_Mon_Mar_11_16_06_18_2013_4673_Microsoft_Windows_Security_Auditing_NT_AUTHORITY_LOCAL_SERVICE_N_A_Failure_Audit_YYY5686_xxxxx_xxxxx_com_Sensitive_Privilege_Use__A_privileged_service_was_called_____Subject <BR /><BR /> Mar_11_20_08_03_10_202_105_17_YYY101155_xxxxx_xxxxx_com_MSWinEventLog_0_Security_230359_Mon_Mar_11_16_06_17_2013_4624_Microsoft_Windows_Security_Auditing_NT_AUTHORITY_ANONYMOUS_LOGON_N_A_Success_Audit_YYY101155_xxxxx_xxxxx_com_Logon__An_account_was_successfully_logged_on_____Subject <BR /><BR /> Mar_11_20_08_03_10_202_105_17_YYY101155_xxxxx_xxxxx_com_MSWinEventLog_0_Security_230360_Mon_Mar_11_16_06_17_2013_4624_Microsoft_Windows_Security_Auditing_NT_AUTHORITY_ANONYMOUS_LOGON_N_A_Success_Audit_YYY101155_xxxxx_xxxxx_com_Logon__An_account_was_successfully_logged_on_____Subject <BR /><BR /> .... <BR /></P> <P><STRONG>whereas</STRONG><BR /> index=dns | fieldsummary | table field</P> <P>field <BR /><BR /> Context <BR /><BR /> Direction <BR /><BR /> InternalPktID <BR /><BR /> Protocol <BR /><BR /> Thread_ID <BR /><BR /> date_hour <BR /><BR /> date_mday <BR /><BR /> date_minute <BR /><BR /> date_month <BR /><BR /> date_second <BR /><BR /> date_wday <BR /><BR /> date_year <BR /><BR /> date_zone <BR /><BR /> dest_domain <BR /><BR /> eventtype <BR /><BR /> host <BR /><BR /> index <BR /><BR /> linecount <BR /><BR /> product <BR /><BR /> punct <BR /><BR /> source <BR /><BR /> sourcetype <BR /><BR /> splunk_server <BR /><BR /> src_ip <BR /><BR /> vendor <BR /><BR /> xid <BR /></P> Mon, 28 Sep 2020 13:31:11 GMT https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61808#M7149 ltawfall 2020-09-28T13:31:11Z https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61809#M7150 <P>not sure if this is what the problem is, but are you explicitly setting the maxvals argument? it has a default value of 100 distinct values to return for each field if you don't set it explicitly. <BR /> also, can you provide the search string you're using and a sample of the data that is working and a sample of what's not? <BR /> also, what do you mean by running the query manually? it's a search command, so you can run it on the commandline if you have the necessary permissions.</P> Thu, 14 Mar 2013 22:23:53 GMT https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61809#M7150 piebob 2013-03-14T22:23:53Z https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61810#M7151 <P>It's not a maxval issue. I'm just trying to get the field names, not the values in the fields.</P> <P>manually.. running the query I mean generate the same data without using the "fieldsummary" command, some other method of generating the same data.</P> <P>All the lines.. that start with "Mar_11_20_08_03_10_202_" are gibberish.. not actual fields.</P> Mon, 28 Sep 2020 13:31:17 GMT https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61810#M7151 ltawfall 2020-09-28T13:31:17Z https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61811#M7152 <P>Did you try something like:</P> <PRE><CODE>index=snare |field - Mar_* | fieldsummary | table field </CODE></PRE> <P>Also, it may help to add a cluster command in the middle to reduce the load.</P> <PRE><CODE>index=snare |fields - Mar_* | cluster | fields - cluster_* | fieldsummary | table field </CODE></PRE> Mon, 24 Nov 2014 16:01:50 GMT https://community.splunk.com/t5/Monitoring-Splunk/Fieldsummary-returning-entire-log-lines-in-resultset/m-p/61811#M7152 reed_kelly 2014-11-24T16:01:50Z