Sideview Table - How to wordwrap at certain width

IngloriousSplun · ‎05-05-2015

Is there a CSS or other parameter that can be set for the Sideview Table module to word wrap after a certain width? I have some fields that have particularly long content, such as suspicious / malicious URLs and the wrap default sometimes requires scrolling.

Thanks.

sideview · ‎05-06-2015

URL's are particularly tricky because the are single enormous words, and normal wrapping isn't allowed to break words. Of course there are ways to do this.

If you have a good browser spec I think you can just do

&lt;module name="Table"&gt;
  &lt;param name="cssClass"&gt;wordBreakingTable&lt;/param&gt;

and then in your application.css

.wordBreakingTable td {
word-wrap: break-word;
}

However depending on your browser support and specific requirements you might need to get a little tweakier than that. Here is some further reading.
https://css-tricks.com/snippets/css/prevent-long-urls-from-breaking-out-of-container/

IngloriousSplun · ‎05-07-2015

I wonder if the issue is that I don't have a defined size for the Table or cell? The above CSS is not working. The URL structure is similar to: host.domain.com/20983209234j2lokj2342092098234jMMSDSM298230924ljk23j2o2092348234l234204928340983422nlkj234.

Other events with similarly long URLs, but that include %, =, etc break fine, it's just those that are only alphanumeric characters that don't.

I've tried the above CSS, that doesn't work and I've also tried the following without luck:

-ms-word-break: break-all;
    word-break: break-all;
    word-break: break-word;

word-wrap: break-word;

-webkit-hyphens: auto;
    -moz-hypens: auto;
        hyphens: auto;

white-space: pre;
white-space: pre-wrap;
white-space: pre-line;
white-space: -pre-wrap;
white-space: -o-pre-wrap;
white-space: -moz-pre-wrap;

sideview · ‎05-07-2015

Actually you might try a completely different approach, using Table Embedding to effectively truncate the urls if they're too long.

basic idea - You use the search language to make another field, called say "truncatedUrl". If the url is less than N characters, it holds the url value. Otherwise it holds the first N-5 chars plus "...". Then you have
<module name="Table">
<param name="hiddenFields">truncatedUrl</param>
<module name="HTML" group="row.fields.url">
<param name="html">$truncatedUrl$</param>
</module>
</module>

It's a good table-embedding trick. On a couple apps I've also built simple little "expand/collapse" links so the user can expand it to the un-truncated value if/when they want. That does admittedly require a few lines of JS.

IngloriousSplun · ‎05-07-2015

Yeah, they'd have to be able to see the full URL because these are security incidents from sensors. I also thought about using sed to insert a '\n' after 50 characters, but then the URL is actually broken at that point and changes some other stuff I'm doing.

sideview · ‎05-07-2015

Getting closer. OK use sed but do your shenanigans on a separate field called like displayURL. have the real url field listed in the Table module's "hiddenFields" param. Then you can use Table Embedding to display the "displayURL" field, but for all drilldown purposes and everything else use the real url field. Despite being "hidden", it'll be available in drilldown tokens etc.

IngloriousSplun · ‎05-07-2015

Interesting. So eval the URL field to a new field, use sed to insert a new line on that field and display that field, but maintain the real URL in a hidden field to perform lookups and drilldowns on. I'll try that in a bit and let you know.

Sideview Table - How to wordwrap at certain width

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM