Splunk Search

How to collapse unneeded lines in the search result for a very long event?

zliu
Splunk Employee
Splunk Employee

Search string "mismatch".

The single event is about 2-3K lines or more. In the lines of text there are 5 lines with the text "mismatch". A search on the word "mismatch" display all lines and not just the lines with mismatch.

How to collapse unneeded lines in the search result?

Tags (1)

sideview
SplunkTrust
SplunkTrust

If you're referring to the behaviour in the UI, it really should be collapsing huge multiline events for you by default, unless it's set specifically to show 'all'.

With the search UI showing you events, click 'options' just above the events, and in the popup that opens, check whether 'lines per event' is set to 'all'...

it may be possible you set it once long ago and forgot about it?

sideview
SplunkTrust
SplunkTrust

Hm. it sounds like a bug then. Not sure what else could explain it. Unless the individual lines are incredibly long, and there really are only 5 or 10 lines there and they're just wrapping a lot.

0 Karma

zliu
Splunk Employee
Splunk Employee

"options" doesn't make any difference for the user. we tried it 😞

0 Karma

zliu
Splunk Employee
Splunk Employee

One event that is 2-3k-line-long. Splunk displays the entire event with "mismatch" word highlighted. What is wanted: just show lines that have the word "mismatch" highlighted.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Is the event actually multiple lines (separated with newlines/carriage returns) merged into one event, or is it just one really long line that Splunk breaks on display?

0 Karma

Lowell
Super Champion

There are a couple different approaches, none of which I'm a big fan of.

  1. Turn _raw into a multi-value field and then filter out any line without "mismatch" in in:

    ... | eval tmp_raw=split(_raw, "\n") | eval tmp_raw=mvfilter(match(tmp_raw,"\bmismatch\b") | eval _raw=mvjoin(tmp_raw,"\n")

    (You could do all of this in one eval but for the purposes of demonstration and clarity, I've slit it out into multiple steps.

  2. Extract out the individual mismatch lines with rex

    ... | rex max_match=100 "?(m)^(?<wanted_line>.*\bmismatch\b.*)$" | eval _raw=(wanted_lines, "\n")

I wasn't able to test either of these, so there could be typos/bugs... but perhaps this will give you a place to start.


You may need to swap out your end of line characters first. (Not 100% sure either way) Here is an example that uses the term --BREAKER-- (which you should use, if your events happen to already contain that phase, but most likely, they will not).

... | rex mode=sed "s/\r?\n/--BREAKER--/g" | eval raw_lines=split(_raw, "--BREAKER--") | mvexpand raw_lines | mvfilter(match(tmp_raw,"\bmismatch\b") | eval _raw=mvjoin(tmp_raw,"\n")`
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...