Archive

abstract for event

Explorer

Hi , Could you please help me to use of abstract command for below event.What would be output for below command if used abstract command.Thanks
3/3/18
8:29:19.637 AM

03-03-2018 08:29:19.637 +0530 INFO Metrics - group=udpinconnections, *:514, sourcePort=514, _udpbps=0.00, udpkbps=0.00, udpavgthruput=0.00, _udpkprocessed=0.00, udpeps=0.00
host = Maheshs-MacBook-Pro.local message = group=udpinconnections, *:514, sourcePort=514, _udpbps=0.00, udpkbps=0.00, udpavgthruput=0.00, _udpkprocessed=0.00, udpeps=0.00 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkd
3/3/18
8:29:19.637 AM

03-03-2018 08:29:19.637 +0530 INFO Metrics - group=thruput, name=thruput, instantaneouskbps=1.2001685845310872, instantaneouseps=4.193675144310007, averagekbps=1.4621956041103525, totalkprocessed=1949, kb=37.2041015625, ev=130, loadaverage=2.28173828125
host = Maheshs-MacBook-Pro.local message = group=thruput, name=thruput, instantaneouskbps=1.2001685845310872, instantaneouseps=4.193675144310007, averagekbps=1.4621956041103525, totalkprocessed=1949, kb=37.2041015625, ev=130, loadaverage=2.28173828125 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkd
3/3/18
8:29:19.637 AM

03-03-2018 08:29:19.637 +0530 INFO Metrics - group=thruput, name=syslogoutput, instantaneouskbps=0, instantaneouseps=0, averagekbps=0, totalkprocessed=0, kb=0, ev=0
host = Maheshs-MacBook-Pro.local message = group=thruput, name=syslogoutput, instantaneouskbps=0, instantaneouseps=0, averagekbps=0, totalkprocessed=0, kb=0, ev=0 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkd
3/3/18
8:29:19.637 AM

03-03-2018 08:29:19.637 +0530 INFO Metrics - group=thruput, name=indexthruput, instantaneouskbps=1.200168661963664, instantaneouseps=3.67753074843138, averagekbps=1.4630094930559567, totalkprocessed=1950, kb=37.2041015625, ev=114
host = Maheshs-MacBook-Pro.local message = group=thruput, name=indexthruput, instantaneouskbps=1.200168661963664, instantaneouseps=3.67753074843138, averagekbps=1.4630094930559567, totalkprocessed=1950, kb=37.2041015625, ev=114 source = /Applications/Splunk/var/log/splunk/metrics.log sourcetype = splunkdstrong text

Tags (1)
0 Karma

Champion

Hi,

When you use abstract command , it will display summary of event based on maxline settings. Like it shown in attached example screenshots.

Also refer:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Abstract

alt text

alt text

0 Karma

Explorer

Sorry to ask foolish question what is use of maxlines , I don't see any changes when maxillae is set, if is to restrict lines but i don't see line is getting restrict.Thanks

0 Karma