Produces a summary of each search result.
abstract [maxterms=int] [maxlines=int]
- Syntax: maxterms=<int>
- Description: The maximum number of terms to match.
- Syntax: maxlines=<int>
- Description: The maximum number of lines to match.
This data processing command produces an abstract (summary) of each search result. The importance of a line in being in the summary is scored by how many search terms it contains as well as how many search terms are on nearby lines. If a line has a search term, its neighboring lines also partially match, and may be returned to provide context. When there are jumps between the lines selected, lines are prefixed with an ellipsis (...).
Example 1: Show a summary of up to 5 lines for each search result.
... |abstract maxlines=5
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the abstract command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 6.0