https://community.splunk.com/t5/Splunk-Search/abstract-for-event/m-p/318322#M162606 <P>Hi,</P> <P>When you use abstract command , it will display summary of event based on maxline settings. Like it shown in attached example screenshots.</P> <P>Also refer:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Abstract">https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Abstract</A></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4457iD2A9FDFA8B736EFC/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4458i09EFB656DC93384D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 05 Mar 2018 09:44:42 GMT p_gurav 2018-03-05T09:44:42Z https://community.splunk.com/t5/Splunk-Search/abstract-for-event/m-p/318321#M162605 <P>Hi , Could you please help me to use of abstract command for below event.What would be output for below command if used abstract command.Thanks<BR /> 3/3/18<BR /> 8:29:19.637 AM<BR /><BR /> 03-03-2018 08:29:19.637 +0530 INFO Metrics - group=udpin_connections, <EM>:514, sourcePort=514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00<BR /> host = Maheshs-MacBook-Pro.local message = group=udpin_connections, *:514, sourcePort=514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkd<BR /> 3/3/18<BR /> 8:29:19.637 AM<BR /><BR /> 03-03-2018 08:29:19.637 +0530 INFO Metrics - group=thruput, name=thruput, instantaneous_kbps=1.2001685845310872, instantaneous_eps=4.193675144310007, average_kbps=1.4621956041103525, total_k_processed=1949, kb=37.2041015625, ev=130, load_average=2.28173828125<BR /> host = Maheshs-MacBook-Pro.local message = group=thruput, name=thruput, instantaneous_kbps=1.2001685845310872, instantaneous_eps=4.193675144310007, average_kbps=1.4621956041103525, total_k_processed=1949, kb=37.2041015625, ev=130, load_average=2.28173828125 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkd<BR /> 3/3/18<BR /> 8:29:19.637 AM<BR /><BR /> 03-03-2018 08:29:19.637 +0530 INFO Metrics - group=thruput, name=syslog_output, instantaneous_kbps=0, instantaneous_eps=0, average_kbps=0, total_k_processed=0, kb=0, ev=0<BR /> host = Maheshs-MacBook-Pro.local message = group=thruput, name=syslog_output, instantaneous_kbps=0, instantaneous_eps=0, average_kbps=0, total_k_processed=0, kb=0, ev=0 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkd<BR /> 3/3/18<BR /> 8:29:19.637 AM<BR /><BR /> 03-03-2018 08:29:19.637 +0530 INFO Metrics - group=thruput, name=index_thruput, instantaneous_kbps=1.200168661963664, instantaneous_eps=3.67753074843138, average_kbps=1.4630094930559567, total_k_processed=1950, kb=37.2041015625, ev=114<BR /> host = Maheshs-MacBook-Pro.local message = group=thruput, name=index_thruput, instantaneous_kbps=1.200168661963664, instantaneous_eps=3.67753074843138, average_kbps=1.4630094930559567, total_k_processed=1950, kb=37.2041015625, ev=114 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkd</EM><EM>strong text</EM>*</P> Tue, 29 Sep 2020 18:14:10 GMT https://community.splunk.com/t5/Splunk-Search/abstract-for-event/m-p/318321#M162605 maheshsat 2020-09-29T18:14:10Z https://community.splunk.com/t5/Splunk-Search/abstract-for-event/m-p/318322#M162606 <P>Hi,</P> <P>When you use abstract command , it will display summary of event based on maxline settings. Like it shown in attached example screenshots.</P> <P>Also refer:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Abstract">https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Abstract</A></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4457iD2A9FDFA8B736EFC/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4458i09EFB656DC93384D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 05 Mar 2018 09:44:42 GMT https://community.splunk.com/t5/Splunk-Search/abstract-for-event/m-p/318322#M162606 p_gurav 2018-03-05T09:44:42Z https://community.splunk.com/t5/Splunk-Search/abstract-for-event/m-p/318323#M162607 <P>Sorry to ask foolish question what is use of maxlines , I don't see any changes when maxillae is set, if is to restrict lines but i don't see line is getting restrict.Thanks</P> Mon, 05 Mar 2018 10:51:11 GMT https://community.splunk.com/t5/Splunk-Search/abstract-for-event/m-p/318323#M162607 maheshsat 2018-03-05T10:51:11Z