Dashboards & Visualizations

Maximum number of colums in a table (after table *)

FrankSPL
Path Finder

Hi all,
Is there a maximum number a columns that Splunk allows in a table?

I have a data set with a variable (and unknown) amount of extracted fields that I want to put in a table for further processing.
I use:

select data | table *

However the create table is incomplete.

For example:
select same data | table fieldXYZ
Produces a result

select same data | table * | table fieldXYZ
produces NO results

In total there could be more than 200 different fields so I need a 200-column-wide table. Is that possible?
I suspect my current search hits some max column number or something?

Any ideas how to fix this (or get around this?)

Tags (1)
0 Karma
1 Solution

koshyk
Super Champion

Which Splunk version you using?
On 6.4.x+ , I can display more than 1000 columns

The easiest way to check this is

<some_data>| table * | transpose

and count how much rows are present.

The 2nd alternative is to combine multiple fields into single field and then download it and process it later, though I feel 200 columns is humanly tough to analyse

View solution in original post

0 Karma

FrankSPL
Path Finder

Does not seem to be a max column issue but i'm definitely hitting some limit.

To simplify some testing I filtered the data set, in this example I want only data from specific sensors.

sourcetype=senssordata sensortype=sens*
Gives 108 events as results (with two different sensortype's "sens1" and "sens-B".

sourcetype=senssordata sensortype="sens1" OR sensortype="sens-B"
Gives the same 108 events as result.

So far, so good.
Now the strange issue appear.

sourcetype=senssordata sensortype="sens1" OR sensortype="sens-B" | fieldsummary
or
sourcetype=senssordata sensortype="sens1" OR sensortype="sens-B" | table *

versus

sourcetype=senssordata sensortype=sens* | fieldsummary
or
sourcetype=senssordata sensortype=sens* | table *

Does give a different output!!!
Both field summaries are not equal, and both table * outputs are not equal even when both are derived from the same selection of events.....

The outputs of the second query contains much more fields and those fields doesn't seem to exist.
This first query seems to output valid date. But the second should do exactly the same.

Any ideas?

0 Karma

FrankSPL
Path Finder

Yes, I tripple checked.
With the stats no more other sensortypes are found.

Also the results before the |fieldsummary (or table*) command are exactly the same.

As my initial question was about a column limit (which was't the case) I will post this issue in a separate question to keep things clear.

0 Karma

koshyk
Super Champion

looking into below SPL, does sens* will have more types of sensortype.. like sens-C ?
do

sourcetype=senssordata sensortype="sens*" | stas count by sensortype

and check if it contains only sens1 and sens-B ?

0 Karma

koshyk
Super Champion

Which Splunk version you using?
On 6.4.x+ , I can display more than 1000 columns

The easiest way to check this is

<some_data>| table * | transpose

and count how much rows are present.

The 2nd alternative is to combine multiple fields into single field and then download it and process it later, though I feel 200 columns is humanly tough to analyse

0 Karma

FrankSPL
Path Finder

Thanks for your answer. I'm running 6.6 and a column max seems not to be the issue. I used your suggestion to find out. I still hitting some other issue. (see above)

0 Karma

koshyk
Super Champion

that's good to know. My opinion is to create the new issue as a separate Question with some sample data to analyse the problem in detail. I believe the new issue is related to data and SPL.
You can close/accept this question, so its not confused.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...