We are trying to create a table view of some event log messages, however some of the event log messages are very long and require a lot of horizontal scrolling to read. We'd like to be able to view the message field all at once, by doing something like having double or triple height rows or word wrap in some way.
Is there anyway to do this?
I have written a macro that takes a very long field and turns it into a multi-valued field where each value is 100 characters or less. It isn't pretty, but it works.
Here is the macro definition. I just copied it from macros.conf
[long_line_breaker(1)]
# splits a really long field into multiple parts
args = line_text
definition = eval $line_text$=if(len($line_text$) < 100, $line_text$, replace($line_text$, "(.{100})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 202, $line_text$, replace($line_text$, "(.{202})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 304, $line_text$, replace($line_text$, "(.{304})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 406, $line_text$, replace($line_text$, "(.{406})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 508, $line_text$, replace($line_text$, "(.{508})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 610, $line_text$, replace($line_text$, "(.{610})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 712, $line_text$, replace($line_text$, "(.{712})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 814, $line_text$, replace($line_text$, "(.{814})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 916, $line_text$, replace($line_text$, "(.{916})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 1018, $line_text$, replace($line_text$, "(.{1018})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) >= 100, split($line_text$,"\n"),$line_text$)
iseval = 0
I use it in a search like this:
yoursearchhere
| table Message
| `long_line_breaker(Message)`
It works for fields of up to 1100 characters, more or less.
HTH
I have written a macro that takes a very long field and turns it into a multi-valued field where each value is 100 characters or less. It isn't pretty, but it works.
Here is the macro definition. I just copied it from macros.conf
[long_line_breaker(1)]
# splits a really long field into multiple parts
args = line_text
definition = eval $line_text$=if(len($line_text$) < 100, $line_text$, replace($line_text$, "(.{100})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 202, $line_text$, replace($line_text$, "(.{202})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 304, $line_text$, replace($line_text$, "(.{304})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 406, $line_text$, replace($line_text$, "(.{406})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 508, $line_text$, replace($line_text$, "(.{508})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 610, $line_text$, replace($line_text$, "(.{610})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 712, $line_text$, replace($line_text$, "(.{712})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 814, $line_text$, replace($line_text$, "(.{814})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 916, $line_text$, replace($line_text$, "(.{916})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 1018, $line_text$, replace($line_text$, "(.{1018})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) >= 100, split($line_text$,"\n"),$line_text$)
iseval = 0
I use it in a search like this:
yoursearchhere
| table Message
| `long_line_breaker(Message)`
It works for fields of up to 1100 characters, more or less.
HTH
That regex is hugely helpful. Never even considered doing it that way.
I got this to work as expected. jonuwz helped to round this all out. For the sake of documentation, I went to Manager » Advanced search » Search macros, created a new macro.
Name : line_breaker(1)
Definition : rex max_match=100 field="$field$" "(?
Argument : field
Then I ran the search : host=server01 sourcetype="WinEventLog:Application" | table Message | line_breaker(Message)
Thanks to both of you for your assistance.
Thank you @lspringer for detailing this
Nicer! Thanks!
And for the regex masochists..
rex max_match=100 field="$field$" "(?<split__regex>.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"
splits lines into 100 character chunks on whitespace boundaries unless there's no whitespace for 100 characters, in which case the width will expand to fit.
The regex to split unconditionally at 100 chars is
"(?<split__regex>.{0,100}(?:\s|$)|.{100})"
I've tried this and it works but as you stated it's not very pretty. Thanks...
The easiest way is probably to use the Sideview Table module instead of the SimpleResultsTable module. Table has many significant improvements over SimpleResultsTable, but a tiny one that I honestly never noticed is that SimpleResultsTable forces long values to live on one line, whereas Table doesn't do this...
http://sideviewapps.com/apps/sideview-utils/
To get the Table module you'll need a relatively new version of Sideview Utils - Table only came out in 2.2, the current version is 2.2.6, and the old version on Splunkbase is 1.3.5
Assuming that someday someone will want the reverse behavior though, I'll add a requirement to my list to make Table respect the $results.softWrap$ convention, so if you need to, you can set softWrap to false upstream and the Table would then behave like SRT.