All Apps and Add-ons

How to set count of displayed events in Dashboard event view / simple XML?

zkelemen
Explorer

I'm trying to add an event view to a dashboard, but Splunk seems to ignore the options set in the XML:

   <event>
      <searchName>Global AAA - Failed: bad password</searchName>
      <title>Mistyped Passwords</title>
      <fields>User,NetworkDeviceName</fields>
      <count>15</count>
      <maxLines>1</maxLines>
    </event>

I have also tried other variations like <option name="count">15</option> and <event count=15>. Every time I still get about 26 entries.

0 Karma
1 Solution

lguinn2
Legend
<option name="count">15</option>

is the format that I have always used, although I assume that the other format works as well, since it is in the manual.
If you simply run the search, do you get about 26 entries?

I think the description in the manual is a bit confusing - Splunk does not limit the results to 15 events, but it should limit the results to 15 per page. Try adding the following

<option name="showPager">true</option>

and see if that changes things. If you really only want 15 events total, edit your saved search, and limit the results by adding

| head 15

for example.

View solution in original post

lguinn2
Legend
<option name="count">15</option>

is the format that I have always used, although I assume that the other format works as well, since it is in the manual.
If you simply run the search, do you get about 26 entries?

I think the description in the manual is a bit confusing - Splunk does not limit the results to 15 events, but it should limit the results to 15 per page. Try adding the following

<option name="showPager">true</option>

and see if that changes things. If you really only want 15 events total, edit your saved search, and limit the results by adding

| head 15

for example.

zkelemen
Explorer

unfortunately splunk seemes to ignore the showPager attempt as well, but adding a head limit to the original search did the trick. Thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...