Abstract Command in Splunk

Understanding splunk abstract command with an example

by Lognalytics Technology November 26, 2021, 7:47 am 96 Views

Hey Everyone are you searching how to hide few lines from your events or only display summary of it, you are on the right place, the abstract command in splunk produces a summary of each search result, this commands works on the raw logs.
Suppose the total number of lines in raw logs are 10 and there is some confidential data which needs to be hidden or you only need to show the first few lines, here is the time where this command comes in picture here you can specify the number of lines you wish to display and only show those specific lines only, below in the post there is a syntax with the sample query and screenshots on how you can achieve this, keep reading…

Key points of abstract command in splunk:

Produces a summary or a brief representation of the raw logs in the search result.
If the text of an event has fewer lines or an equal number of lines as maxlines, no change occurs.

Note: If the text of an event has fewer lines or an equal number of lines as maxlines, no change occurs.

Syntax:

abstract [maxterms=<int>] [maxlines=<int>]

Query before using abstract command:

index=* sourcetype="WinEventLog:Application"
| stats c by _raw

Results before using abstract command:

Query after using abstract command:

index=* sourcetype="WinEventLog:Application"
| stats c by _raw
| abstract maxlines=4

Results after using abstract command:

Explanation:

Abstract command limits the data to be shown , it uses the data hiding concept and shows only that amount of data which is defined in the query by the developer.
In the above example only first four lines are shown rest all are hidden by using maxlines=4.

If you are still facing issue regarding abstract command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking >