Dashboards & Visualizations

How do I put over 100 results into one line?

jkcadaing
New Member

Good morning Splunkers!

I need help please! I am working on a dashboard that shows a list of MAC Addresses and sometimes the list is over 100 different addresses depending on the area.

So basically, I need to take multiple rows and put them into one line. I have a table that utilizes the nomv command, but it limits the MAC Addresses to 100. I use this table to drilldown to a custom URL, which is another Splunk instance that passes the list of MAC Addresses into another search for further processing.

Below is what I have to place colons between every two characters of an unformatted MAC Address then throws it into a stats command to list and add " OR " between each one and finally, the nomv takes multivalue fields and puts it into one row. I've played around with using the head and tail command to get as much as I can, however, it is not enough and gives some duplicates if less than 200.

| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6") 
| stats list(MAC_Address) as MAC_Address delim=" OR " 
| nomv MAC_Address

I was wondering if there is another command/way that will allow me to take more than 100 and put them into one line to pass through? I am open to other methods such as scripting to accomplish this.

0 Karma
1 Solution

FrankVl
Ultra Champion

If you want to take a list of mac addresses and format it as a (part of a) search string, use the format command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

e.g.:

...
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6") 
| fields MAC_Address
| format

Though this results in MAC_Address=x:x:x:x OR MAC_Address=a:b:c:d etc. So if you don't want that MAC_Address= part, you would have to strip that out again.

View solution in original post

0 Karma

FrankVl
Ultra Champion

If you want to take a list of mac addresses and format it as a (part of a) search string, use the format command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

e.g.:

...
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6") 
| fields MAC_Address
| format

Though this results in MAC_Address=x:x:x:x OR MAC_Address=a:b:c:d etc. So if you don't want that MAC_Address= part, you would have to strip that out again.

0 Karma

jkcadaing
New Member

Thank you for the quick reply! The command works good, but I've found anything over 150 causes a 414 Request-URI Too Large error haha.

Wondering maybe is there a way to select 0-100, 101-200, 201-300, etc?

0 Karma

FrankVl
Ultra Champion

Right, your problem is with passing this to a URL that is called as a drilldown. You might need to run the sub search that generates the list of mac addresses again as part of the drilldown, rather than passing the list along.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...