Splunk Search

How to add spacing between multiple eventdata lines of a transaction?

SonnyB
Explorer

How to add spacing between multiple eventdata lines of a transaction?
Say, for an access_combined type of log, I group by SessionId for creating transaction paragraphs.
Some paragraphs have as many as 12 lines in them, all displayed one after another (a bit cluttered look). It would be nice to be able to append "\n\n" (2 spacing newlines) to the _raw to space out the display of these multiple eventdata lines of the transaction results.
I tried with:

strcat "\n" _raw "\n" mynewrawline

but the strcat does not interpret "\n" properly.

Any suggestions would be appreciated.

Second related question is: I also tried piping to table and showing the table of all fields.
The spacing looks a bit better, but the problem that then arises is: The fields with the common values are shown only once in the transaction paragraph (the cell below the present row remains empty). The users want to see the dense-table: with all the rows completely filled with all the values of all the fields of every eventdata line gathered in the transaction paragraph in the Results area (and not the sparse table, where duplicate field values are omitted).

Any help with this will be greatly appreciated. Thanks.

0 Karma

Joshie
New Member

I have a XML sourcertype that have multi-values dair across different fieldnames:
e.g. starttime, stoptime, instruction

My problem is that the "instruction" field is really really long.

When I do a table starttime, stoptime, instruction, the looks mis-align.

e.g.

starttime stoptime instruction
0900 0935 First instruction is to
0930 0940 move the cargo to the east
0940 1020 side of the dock.
Second instruction appears
not align to the 0930 starttime.
Third instruction really needs to
the 0940 line.

I was hoping I can put each instruction align to the correct starttime.

Any help much appreciated!

Kind Regards,
Joshie

0 Karma

Dan
Splunk Employee
Splunk Employee

Part 1: If you're using transaction with Splunk 4.3 or later, you can specify mvraw=t delim="\n\n".

(In my case, on a mac, I had to hit option+shift+return to get the \n recognized)

Part 2: Again with transaction, try mvlist=t. With stats try list()

paxindustria
Engager

Thanks for the answer on this one! I'm also on a Mac and pounded against this for some time, In the end I actually had to save the transaction command in my macro like this:

|transaction delim=
src_host,

with the actual line break breaking the macro. I was never able to get delim="\n" to work, it always showed up in email as \n as opposed to


0 Karma

Ayn
Legend

You can't use strcat like that, because even if it worked it would just add newlines before and after all the lines in the transaction. Instead you could use the rex command in sed mode to replace any \n character with two \n's. The Splunk web ui tries to be a bit "smart" about the newlines though, so if you just give it two newlines it will not create an extra line unless there's any text in it. So, the trick to avoid that is to add a space between the newlines.

... | rex mode=sed field=_raw "s/\n/\n \n/g"

As for your second question, I don't completely get the desired output, but you might want to look into using stats values and create a table using that.

SonnyB
Explorer

Thank you Ayn for the rex-sed trick above. For the second-part, I'll investigate further. (Basically, the transaction table-display needs to show all rows, all column-headers and all values in every cell, even if some of them are duplicate/repeatative. But this does not happen if you pipe everything out to the final table segment. It "smartens" out the display, by showing spaces for duplicate-values -- and this is deemed undesirable by the app users -- they want a dense-table-output showing everything of all grouped events).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...