Splunk Search

Table format field size

lspringer
Path Finder

We are trying to create a table view of some event log messages, however some of the event log messages are very long and require a lot of horizontal scrolling to read. We'd like to be able to view the message field all at once, by doing something like having double or triple height rows or word wrap in some way.

Is there anyway to do this?

alt text

1 Solution

lguinn2
Legend

I have written a macro that takes a very long field and turns it into a multi-valued field where each value is 100 characters or less. It isn't pretty, but it works.

Here is the macro definition. I just copied it from macros.conf

[long_line_breaker(1)]
# splits a really long field into multiple parts
args = line_text
definition = eval $line_text$=if(len($line_text$) < 100, $line_text$, replace($line_text$, "(.{100})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 202, $line_text$, replace($line_text$, "(.{202})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 304, $line_text$, replace($line_text$, "(.{304})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 406, $line_text$, replace($line_text$, "(.{406})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 508, $line_text$, replace($line_text$, "(.{508})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 610, $line_text$, replace($line_text$, "(.{610})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 712, $line_text$, replace($line_text$, "(.{712})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 814, $line_text$, replace($line_text$, "(.{814})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 916, $line_text$, replace($line_text$, "(.{916})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 1018, $line_text$, replace($line_text$, "(.{1018})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) >= 100, split($line_text$,"\n"),$line_text$)
iseval = 0

I use it in a search like this:

yoursearchhere
| table Message
| `long_line_breaker(Message)`

It works for fields of up to 1100 characters, more or less.

HTH

View solution in original post

lguinn2
Legend

I have written a macro that takes a very long field and turns it into a multi-valued field where each value is 100 characters or less. It isn't pretty, but it works.

Here is the macro definition. I just copied it from macros.conf

[long_line_breaker(1)]
# splits a really long field into multiple parts
args = line_text
definition = eval $line_text$=if(len($line_text$) < 100, $line_text$, replace($line_text$, "(.{100})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 202, $line_text$, replace($line_text$, "(.{202})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 304, $line_text$, replace($line_text$, "(.{304})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 406, $line_text$, replace($line_text$, "(.{406})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 508, $line_text$, replace($line_text$, "(.{508})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 610, $line_text$, replace($line_text$, "(.{610})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 712, $line_text$, replace($line_text$, "(.{712})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 814, $line_text$, replace($line_text$, "(.{814})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 916, $line_text$, replace($line_text$, "(.{916})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 1018, $line_text$, replace($line_text$, "(.{1018})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) >= 100, split($line_text$,"\n"),$line_text$)
iseval = 0

I use it in a search like this:

yoursearchhere
| table Message
| `long_line_breaker(Message)`

It works for fields of up to 1100 characters, more or less.

HTH

lokuly
New Member

That regex is hugely helpful. Never even considered doing it that way.

0 Karma

lspringer
Path Finder

I got this to work as expected. jonuwz helped to round this all out. For the sake of documentation, I went to Manager » Advanced search » Search macros, created a new macro.

Name : line_breaker(1)
Definition : rex max_match=100 field="$field$" "(?.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"
Argument : field

Then I ran the search : host=server01 sourcetype="WinEventLog:Application" | table Message | line_breaker(Message)

Thanks to both of you for your assistance.

DEAD_BEEF
Builder

Thank you @lspringer for detailing this

0 Karma

lguinn2
Legend

Nicer! Thanks!

0 Karma

jonuwz
Influencer

And for the regex masochists..

rex max_match=100 field="$field$" "(?<split__regex>.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"

splits lines into 100 character chunks on whitespace boundaries unless there's no whitespace for 100 characters, in which case the width will expand to fit.

The regex to split unconditionally at 100 chars is

"(?<split__regex>.{0,100}(?:\s|$)|.{100})"

lspringer
Path Finder

I've tried this and it works but as you stated it's not very pretty. Thanks...

0 Karma

sideview
SplunkTrust
SplunkTrust

The easiest way is probably to use the Sideview Table module instead of the SimpleResultsTable module. Table has many significant improvements over SimpleResultsTable, but a tiny one that I honestly never noticed is that SimpleResultsTable forces long values to live on one line, whereas Table doesn't do this...

http://sideviewapps.com/apps/sideview-utils/

To get the Table module you'll need a relatively new version of Sideview Utils - Table only came out in 2.2, the current version is 2.2.6, and the old version on Splunkbase is 1.3.5

Assuming that someday someone will want the reverse behavior though, I'll add a requirement to my list to make Table respect the $results.softWrap$ convention, so if you need to, you can set softWrap to false upstream and the Table would then behave like SRT.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...