Splunk Search

How to format data in a table column to print one entry on a line?

OldManEd
Builder

Is there a way to format data in a table column to print one entry on a line? In my alert the table data shows up something like below;

Column A            Column B                       Column C
1.1.1.1            server1.my.domain ser     Some data 1
                   erver2.my.domain serv     some data 2
                   er3.my.domain

What I need to do is have that same data show up like this;

Column A         Column B                       Column C
1.1.1.1          server1.my.domain      Some data 1
                 server2.my.domain      Some data 2
                 server3.my.domain

I was thinking about adding a new line to each entry but I'm not sure that would work.

Any ideas out there?

~Ed

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

To a degree, this is committing spreadsheet, but as a last resort you could do this...

(your search here)
| table ColumnA ColumnB ColumnC
| streamstats count as recno 
| eval maxrecs=if(mvcount(ColumnB)>mvcount(ColumnC),mvcount(ColumnB),mvcount(ColumnC))
| eval myfan=mvrange(0,maxrecs)
| mvexpand myfan
| eval ColumnB=case(myfan<mvcount(ColumnB),mvindex(columnB,myfan))
| eval ColumnC=case(myfan<mvcount(ColumnC),mvindex(columnC,myfan))
| table recno myfan maxrecs ColumnA ColumnB ColumnC

This should give you

recno    myfan    maxrecs    ColumnA          ColumnB                ColumnC
1        1        3          1.1.1.1          server1.my.domain      Some data 1
1        1        3          1.1.1.1          server2.my.domain      Some data 2
1        1        3          1.1.1.1          server3.my.domain

Assuming the above looks okay, then you can do this to get rid of the duplicate ColumnA values and return the desired columns.

| streamstats count as count1 by recno
| eval ColumnA = case(count1=1,ColumnA)
| eval recno = case(count1=1,recno) 
| table recno ColumnA ColumnB ColumnC

That gives you the display you want, although technically in multiple events per ColumnA value.

recno    ColumnA          ColumnB                ColumnC
1        1.1.1.1          server1.my.domain      Some data 1
                          server2.my.domain      Some data 2
                          server3.my.domain
2        1.1.1.2          server4.my.domain      Some data 3
3        1.1.1.3          server5.my.domain      Some data 4
                          server6.my.domain      Some data 5 
                                                 Some data 6
0 Karma

OldManEd
Builder

DalJeanis,
Thank you for your update but right now I'm looking at 20 columns and think your solution might get a little out of hand for me. I will keep it in mind if this next possibility doesn't work.

I've been looking around and ~think~ I've found another solution. Unfortunately I really don't know how to implement it at the moment. From what I've read, using the keyword "nowrap" in the "td" definition will prevent text in the cell from breaking into multiple lines. The example that was given is below:

<table>
  <tr>
    <th>Poem</th>
    <th>Poem</th>
  </tr>
  <tr>
    <td nowrap>Never increase, beyond what is necessary, the number of entities required to explain anything</td>
    <td>Never increase, beyond what is necessary, the number of entities required to explain anything</td>
  </tr>
</table>

This worked perfectly in the example.

Now I thought I saw that somewhere in Splunk there is a CSS file that controls the output of the alert emails. Unfortunately I can't seem to find that file nor any reference to it. If anyone out there can point me to the specific CSS file associated with a scheduled search I'd really appreciate it.

~Ed

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What's your current alert search generating that output?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So, if your search is like this

index=_internal | stats values(sourcetype) as sourcetypes by host

You can transform your query like to this to format the report/alert email (inline) output

index=_internal | stats values(sourcetype) as sourcetypes by host delim="," | rex mode=sed field=sourcetypes "s/,/\n/g"
0 Karma

OldManEd
Builder

somesoni2,
Thank you for your reply, but it didn't work. And it's really my fault. Looking closer at the email report I saw the issue was really a long line of data wrapping around to the next line. Each entry started on its own line, but longer ones were causing the issue. Using the example above, the issue was showing up as;

 Column A        Column B               Column C
 1.1.1.1            server1.my.dom    Some data 1
                         ain                            Some data 2
                         server002.my.do
                         main 
                         server3.my.dom
                         ain     

What I need is a way to force the size of a specific column in the email to something that will be long enough to hold all the line data without wrapping. That I can't find.

~Ed

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...