no of events in show_source view

smolcj — Tue, 22 Jan 2013 06:01:29 GMT

hi,
the default number of events displayed in show source are 25,50,100,200,500,1000.
Can i change it so that i can see all the events in my source file,there are nearly 7000 events in my source file. i tried changing the static options defined in Show_source view. but is of no change, can somebody help me.
Please help
Thank you

Re: no of events in show_source view

lguinn2 — Tue, 22 Jan 2013 09:32:56 GMT

What version of Splunk are you using?

Re: no of events in show_source view

smolcj — Tue, 22 Jan 2013 10:23:47 GMT

Version 5.0.1..

Re: no of events in show_source view

smolcj — Wed, 23 Jan 2013 09:36:26 GMT

7000
when i am trying this option under showsource module i am getting a statement like
Show source not available for this event..
Any thoughts
please help

Re: no of events in show_source view

smolcj — Tue, 12 Feb 2013 11:42:21 GMT

Please help me to fix this,,
i want to show my entire log through show source, but now i am able to show only last 1000 rows
please help

Re: no of events in show_source view

sideview — Mon, 28 Sep 2020 13:19:01 GMT

You can change the show_source view's XML, so as to add higher row numbers like 10000, and in some cases such a change will result in 10,000 or more rows being displayed. Technically it will display 10,000 rows before the selected event and 10,000 rows after, for a total event count of 20,001.

However I do not think this is generally possible for all distributions of events in time. I can reproduce cases where it will indeed render 20,001 events. However I can also find lots of cases where it gives up before reaching those numbers. Above about 1000, Show source will not necessarily go and get all the 10,000 rows that the user has asked for, because it may find the request difficult to fulfill and it may assume from that that there are no more events to get when in fact there are.

Long version: Show source in the Splunk Search app is implemented using an obscure argument in the REST API, and one that is undocumented. You can look into ShowSource.py, or just read the splunkd_access log to see the requests that get made back to splunkd to fulfill show-source requests. There is an "surrounding=1" argument that gets passed, even though such an argument is not documented in the official rest api docs.

/services/search/jobs/1360821045.803/events?latest_time=1338534000&max_lines=500&surrounding=1&count=10000&field_list=_raw%2Ctarget%2CMSG_TYPE%2CMSG_CONTENT%2C_decoration&offset=90&show_empty_fields=True&output_mode=json&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S%25z

http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D.2Fevents

Note the surrounding=1 argument in the splunkd_access log snippet posted above. surrounding=1 tells the API that instead of getting the events for this search result, it should go to offset=90 of the current search result, get that one event, get the 'source' and 'host' field values of that event, and then do a separate search in the index for other events that have that source and host, that are nearby in time. Starting from that point and going backward in time to get the events is a piece of cake for Splunk, but starting from that point and going forward in a historical sense, is a bit harder. And I think in this implementation if it finds itself struggling, it allows itself to give up before it's actually reached the 10,000 mark or whatever you've set for it.

topic Re: no of events in show_source view in Splunk Search

no of events in show_source view

Re: no of events in show_source view

Re: no of events in show_source view

Re: no of events in show_source view

Re: no of events in show_source view

Re: no of events in show_source view