Hi All,
I have a large data set with lots of fields and I want that in a table. However this is not working correctly.
When I test with | fieldsummary I also get strange results.
First I select data
sourcetype=senssordata sensortype="sensortypeA" | fieldsummary
Gives me all fields related to this selection of one sensortype. The majority of the fields are parameter names, for example: PARA1, PARA2, PARA3, etc...
When I transform this in a table by using
sourcetype=senssordata sensortype="sensortypeA" | table *
The same fields are presented in the table.
Now I add more sensortypes to my search
sourcetype=senssordata sensortype IN ("sensortypeA", "sensortypeB","sensortypeC" | fieldsummary
Still no problem. (also the table * works fine)
I receive more PARAx fields because not every sensortype has the same parameter set.
However when I select more sensortypes it start to go wrong
sourcetype=senssordata sensortype IN ("sensortypeA", ....."sensortypeZ" | fieldsummary
Some PARA values that were in the initial fieldsummary outputs are gone.
The table output also fails:
sourcetype=senssordata sensortype IN ("sensortypeA", ....."sensortypeZ" | table *
The fields presented in the fieldsummary are in the table but it is also incomplete.
Is it possible that both fieldsummary and table* can retrieve a maximum number of extracted fields. It looks like a limit around 100 fields. And can this limit be adjusted?
[EDIT] After some extra testing,
Again with sourcetype=senssordata sensortype IN ("sensortypeA", ....."sensortypeZ" | fieldsummary
I know for sure that I'm missing fields. For example PARA2 is missing in this fieldsummary (as it is available when the search is limited to only a few sensortypes)
However, when I adjust the query to
sourcetype=senssordata sensortype IN ("sensortypeA", ....."sensortypeZ" | fields PARA2 | fieldsummary
Then PARA2 is back again (and only PARA2 because I did not select more)
... View more