Splunk Search

How to display my source data format in Splunk?

krishnamohan658
New Member

I have data that is feeding to Splunk from x source. That x source data is formatted like discussion points whereas if we pull the same data out in Splunk, it's showing like a whole paragraph. I guess it's because the table command removes formatting on purpose. Is there a way so that I can capture the same data format in Splunk other than the table command?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

 <panel>
   <table>
     <title>Format</title>
     <search>
       <query>index=snow_prod sourcetype=snow:problem "PRB75601" | dedup sys_id | table ticket_id,u_why_did_this_happen </query>
       <earliest>-30d@d</earliest>
       <latest>now</latest>
     </search>
     <option name="drilldown">row</option>
     <drilldown>
       <set token="T_ticket_id">$row.ticket_id$</set>
       <set token="T_u_why_did_this_happen">$row.u_why_did_this_happen$</set>
     </drilldown>
     <fields>["ticket_id","u_why_did_this_happen"]</fields>
   </table>
 </panel>


 <panel>
 <html>
   T_ticket_id=$T_ticket_id$
   T_u_why_did_this_happen=$T_u_why_did_this_happen$
   </html>
 </panel>
0 Karma

krishnamohan658
New Member

RCA

<panel>
  <table>
    <title>Format</title>
    <search>
      <query>index=snow_prod sourcetype=snow:problem "PRB75601" | dedup sys_id | table ticket_id,u_why_did_this_happen </query>
      <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>
  <option name="drilldown">row</option>
  <drilldown>
    <set token="T_ticket_id">$row.ticket_id$</set>
    <set token="T_u_why_did_this_happen">$row.u_why_did_this_happen$</set>
  </drilldown>
  <fields>["ticket_id","u_why_did_this_happen"]</fields>
  </table>

<panel>

T_ticket_id=$T_ticket_id$
T_u_why_did_this_happen=$T_u_why_did_this_happen$
</html>
0 Karma

krishnamohan658
New Member

tried but its still showing the same as paragraph rather than the formatted way

Please help me out with options i have to provide an update whether its doable or not

Thanks
Krishna

0 Karma

krishnamohan658
New Member

RCA for impact between 10:57 pm - 11:40 pm - Only tier1 and WWW in CLT-A were enabled at 10:57 pm to resolve the hard down condition, Tier3 was still in BRF. Tier3 in CLT-A was enabled at 11:40 pm. There is a dependency of user-security service in Tier3 on public tools and shared apps in Tier1. They all have to be in the same datacenter for user-security local coherence cache to work.

There are no short term action items (including the OCI F5 dashboard proposed at the RCA call) at this time to address this problem.

Strategic solution for WebCenter Switching discussed in the RCA call -
A) AppViewX - being rolled out by next month and Will have visibility from F5 perspective. The tool will show the state of F5, eliminate unknowns when commands are unsuccessful on F5.
B) Operational Control Framework - replacement for OCI tool. The framework will be utilizing AppViewX and will have visibility on state of operations. Project just got approved and is in initial phase. Tentative time of completion is end of this year and roll out starts Jan 2017.

F5 software upgrade to V11 is being tracked through PRB75373.

The data exists like this in a formatted way when we pull out the same in splunk

RCA for impact between 10:42 pm - 10:57 pm -The root cause could not be identified. There is a suspicion that WebCenter switching did not work as expected. However, there are no logs either on F5 or OCI tool to show where the failure was. Analysis was done to see if Tier1 disable commands fired from OCI tool show up on F5 side. Publictools, shared, iwc, m and retirementatwork Tier1 VIPs disable command in CLT-A do not show up on F5 in splunk. F5 team has confirmed that there are no splunk logging issues as other Tier1 VIPs disable command can be seen on F5 in splunk. F5 logs are already rolled over on the device and not available to further review the problem. RCA for impact between 10:57 pm - 11:40 pm - Only tier1 and WWW in CLT-A were enabled at 10:57 pm to resolve the hard down condition, Tier3 was still in BRF. Tier3 in CLT-A was enabled at 11:40 pm. There is a dependency of user-security service in Tier3 on public tools and shared apps in Tier1. They all have to be in the same datacenter for user-security local coherence cache to work. There are no short term action items (including the OCI F5 dashboard proposed at the RCA call) at this time to address this problem. Strategic solution for WebCenter Switching discussed in the RCA call - A) AppViewX - being rolled out by next month and Will have visibility from F5 perspective. The tool will show the state of F5, eliminate unknowns when commands are unsuccessful on F5. B) Operational Control Framework - replacement for OCI tool. The framework will be utilizing AppViewX and will have visibility on state of operations. Project just got approved and is in initial phase. Tentative time of completion is end of this year and roll out starts Jan 2017. F5 software upgrade to V11 is being tracked through PRB75373.

Please help me out with options i have to provide an update whether its doable or not
Thanks
Krishna

0 Karma

sundareshr
Legend

This works for me

  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="splunk*" | stats count by source sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <drilldown>
          <set token="T_ticket_id">"$click.value$"</set>
          <set token="T_u_why_did_this_happen">"$row.sourcetype$"</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
   T_ticket_id=$T_ticket_id$
   T_u_why_did_this_happen=$T_u_why_did_this_happen$
   </html>
    </panel>
  </row>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The table does remove the formatting. As a workaround, you can setup in-page/contextual drilldown where you click on a row in table (un-formatted value) to show a row/fields in a HTML panel below the table.

0 Karma

krishnamohan658
New Member

RCA

<panel>
  <table>
    <title>Format</title>
    <search>
      <query>index=snow_prod sourcetype=snow:problem "PRB75601" | dedup sys_id | fields ticket_id,u_why_did_this_happen </query>
      <earliest>-30d@d</earliest>
      <latest>now</latest>
    </search>
    <option name="drilldown">row</option>
    <drilldown>
      <set token="T_ticket_id">"$row.ticket_id$"</set>
      <set token="T_u_why_did_this_happen">"$row.u_why_did_this_happen$"</set>
    </drilldown>
    <fields>["ticket_id","u_why_did_this_happen"]</fields>
  </table>
</panel>


<panel>
<html>
  T_ticket_id=$T_ticket_id$
  T_u_why_did_this_happen=$T_u_why_did_this_happen$
  </html>
</panel>

Its not working help me where i am missing

0 Karma

krishnamohan658
New Member

Hi I'm still in a confused state whether it's doable or not with any other command other than table command

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...