topic Re: Table format field size in Splunk Search

Table format field size

lspringer — Tue, 27 Nov 2012 17:31:34 GMT

We are trying to create a table view of some event log messages, however some of the event log messages are very long and require a lot of horizontal scrolling to read. We'd like to be able to view the message field all at once, by doing something like having double or triple height rows or word wrap in some way.

Is there anyway to do this?

Re: Table format field size

sideview — Tue, 27 Nov 2012 17:53:06 GMT

The easiest way is probably to use the Sideview Table module instead of the SimpleResultsTable module. Table has many significant improvements over SimpleResultsTable, but a tiny one that I honestly never noticed is that SimpleResultsTable forces long values to live on one line, whereas Table doesn't do this...

http://sideviewapps.com/apps/sideview-utils/

To get the Table module you'll need a relatively new version of Sideview Utils - Table only came out in 2.2, the current version is 2.2.6, and the old version on Splunkbase is 1.3.5

Assuming that someday someone will want the reverse behavior though, I'll add a requirement to my list to make Table respect the $results.softWrap$ convention, so if you need to, you can set softWrap to false upstream and the Table would then behave like SRT.

Re: Table format field size

lguinn2 — Tue, 27 Nov 2012 19:11:44 GMT

I have written a macro that takes a very long field and turns it into a multi-valued field where each value is 100 characters or less. It isn't pretty, but it works.

Here is the macro definition. I just copied it from macros.conf

[long_line_breaker(1)]
# splits a really long field into multiple parts
args = line_text
definition = eval $line_text$=if(len($line_text$) < 100, $line_text$, replace($line_text$, "(.{100})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 202, $line_text$, replace($line_text$, "(.{202})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 304, $line_text$, replace($line_text$, "(.{304})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 406, $line_text$, replace($line_text$, "(.{406})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 508, $line_text$, replace($line_text$, "(.{508})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 610, $line_text$, replace($line_text$, "(.{610})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 712, $line_text$, replace($line_text$, "(.{712})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 814, $line_text$, replace($line_text$, "(.{814})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 916, $line_text$, replace($line_text$, "(.{916})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 1018, $line_text$, replace($line_text$, "(.{1018})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) >= 100, split($line_text$,"\n"),$line_text$)
iseval = 0

I use it in a search like this:

yoursearchhere
| table Message
| `long_line_breaker(Message)`

It works for fields of up to 1100 characters, more or less.

HTH

Re: Table format field size

lspringer — Tue, 27 Nov 2012 20:56:00 GMT

I've tried this and it works but as you stated it's not very pretty. Thanks...

Re: Table format field size

jonuwz — Tue, 27 Nov 2012 21:05:33 GMT

And for the regex masochists..

rex max_match=100 field="$field$" "(?<split__regex>.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"

splits lines into 100 character chunks on whitespace boundaries unless there's no whitespace for 100 characters, in which case the width will expand to fit.

The regex to split unconditionally at 100 chars is

"(?<split__regex>.{0,100}(?:\s|$)|.{100})"

Re: Table format field size

lguinn2 — Tue, 27 Nov 2012 21:10:25 GMT

Nicer! Thanks!

Re: Table format field size

lspringer — Mon, 28 Sep 2020 12:53:08 GMT

I got this to work as expected. jonuwz helped to round this all out. For the sake of documentation, I went to Manager » Advanced search » Search macros, created a new macro.

Name : line_breaker(1)
Definition : rex max_match=100 field="$field$" "(?.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"
Argument : field

Then I ran the search : host=server01 sourcetype="WinEventLog:Application" | table Message | line_breaker(Message)

Thanks to both of you for your assistance.

Re: Table format field size

lokuly — Mon, 20 May 2013 23:37:07 GMT

That regex is hugely helpful. Never even considered doing it that way.

Re: Table format field size

DEAD_BEEF — Fri, 14 Sep 2018 15:54:04 GMT

Thank you @lspringer for detailing this