The command table does not show all fields

splk_clheureux · ‎09-13-2016

My data :
_time MODULE NOMBRE_DE_WA_ECRITS [...]
2016-07-18 20:02:37 MOD1 10

My search :

eventtype=log_sepa
| table _time MODULE  *

Results are without NOMBRE_DE_WA_ECRITS :
_time MODULE [...]
2016-07-18 20:02:37 MOD1

When I do this search my field it's working :

    eventtype=log_sepa
    | table _time MODULE NOMBRE_DE_WA_ECRITS *

Results :
_time MODULE NOMBRE_DE_WA_ECRITS [...]
2016-07-18 20:02:37 MOD1 10

I can't write all the fields name because there are dynamics.

There is a limitation number for the fields to show ?

PS : In the limits.conf the property truncate_report is at false.

Thanks

nick405060 · ‎08-24-2018

Same! I have many fields, including "reason" and "result".

<data> | table *

... does not show the two columns (it shows less than 50 other columns)

but

<data> | table reason result

... then shows both columns, and both are populated with data. In etc/system/local/limits.conf, maxcols=512 and truncate_report=false.

Anyone help with this?

<<< Additional tags: Duo app, Duo add-on >>>

splk_clheureux · ‎09-13-2016

The search eventtype=log_sepa | table _time * return the same results.
I juste find the answer. There is a limitation to 100 column in limits.conf

nick405060 · ‎08-24-2018

I downvoted this post because there is no limitation to 100 columns in limits.conf that i can see. Does not fix problem.

richgalloway · ‎09-13-2016

If your problem is solved, please accept the answer to help others find it in future.

---
If this reply helps you, Karma would be appreciated.

inventsekar · ‎09-13-2016

may i know what happens when you run -
eventtype=log_sepa
| table _time *

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Are you a member of the Splunk Community?