limit results in a cell

ccsfdave · ‎04-19-2013

Greetings,

I want to limit the results in a cell. More succinctly, I want to show maybe 10 values and then put the rest in "and xxx more values"

sideview · ‎04-22-2013

If you're already in a custom dashboard, you can do this in the Advanced XML, with Sideview Utils, with a couple advanced Sideview Utils and a little bit of custom code. Sideview Utils is usually used for far more everyday stuff, like making a nice simple form search dashboard, or making a chart drilldown easier to implement. However it can do some pretty far-out use cases, including this one.

The basic idea is to use the search language to do most of the work, and then use the Sideview Table module's embedding feature to render two different port lists into the tablecells -- one list that is truncated and one not. We'll also put in a little link that says "show all", and at the last step we'll use 6 lines of javascript to tie it all together.

step 1) get latest Sideview Utils from http://sideviewapps.com/apps/sideview-utils and install it into your Splunk instance. If you only have the most recent one from Splunkbase you'll have to upgrade to the real latest from our site.

step 2) Here's the XML

<module name="PostProcess">
  <param name="search"><![CDATA[
   | eval fullPortList=mvjoin(Ports,"<br>") 
   | eval shortPortList=if(mvcount(Ports)>10,mvjoin(mvindex(Ports,0,9),"<br>")+"....",fullPortList) 
  | eval expandLinkText=if(mvcount(Ports)>10,"(expand)","")
  ]]></param> 

  <module name="Pager">

    <module name="Table">
      <param name="hiddenFields">shortPortList fullPortList expandLinkText</param>

      <module name="HTML" group="row.fields.Ports">
        <param name="html"><![CDATA[
          <span class="shortPortList">$row.fields.shortPortList$ <a class="expand" onclick="expandShortList(this)">$row.fields.expandLinkText$</a></span>
          <span class="longPortList" style="display:none;">$row.fields.longPortList$</span>
        ]]></param>
      </module>
    </module>
  </module>
</module>

Step 3) Put this javascript into the /appserver/static/application.js file in your app, or you can use another Sideview HTML module to put it in `

ccsfdave · ‎04-22-2013

This sounds like it could be the solution I am looking for but can you get a bit more specific about the code and files? I see that I have sideview installed, not sure if it then becomes the default behavior of charts.

dart · ‎04-21-2013

You could do this with a search, except for the and 'xxx more values':

dest_port!=80 dest_port!=443 | top 10 dest_port by src_ip | sort -count

ccsfdave · ‎04-22-2013

If I understand you correctly, this doesn't get me what I want. I still like the groupings of ports by IP address. If I translated your suggestion correctly, I get redundant IPs and unique ports.

dest_port!=80 dest_port!=443 | top 10 dest_port by src_ip | rename src_ip AS "Source IP" |rename dest_port AS "Ports"|  table "Source IP" "Ports" count| sort -count

sideview · ‎04-19-2013

If this is a custom dashboard that you're in, I can tell you how I've done something very similar using Sideview Utils. I used the Table module's embedding feature to put in two different values that I created in the search language - one was truncated and one not. the full value is initially invisible via CSS. Also there's a little link we add saying "show all". Then we add 6 lines of javascript into the page (either into application.js, or embedded using an HTML module). When the link is clicked the truncated one is hidden as well as the link, and the full one shown.

ccsfdave · ‎04-19-2013

Here is the URL of the image for a better view: http://apps.sfgov.org/showcase/wp-content/uploads/2011/03/morevalues.png

limit results in a cell

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk