Archive
Highlighted

Show most relevant lines (Exceeds 500 limit)

Contributor

Hi~there,

We index some system config file to facilitate user's lookup.
But it seems the splunk have the limits in showing only 500 lines per event.
I try to add MAX_EVENT = 10000 in props.conf of search apps, but it still does not work. Any workaround for this? Thanks for your help.

Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

Builder

hjwang,

You need to modify the XML configuration for views that have the EventsViewer module (namely flashtimeline) to override the 500 limit in the UI. This is achieved by setting the maxLines param to 0 and maxLinesContraint to X. I wouldn't recommend going to high with maxLinesConstraint since it is listed as a "Browser crash control setting". Your modifications should reflect:

## Snippet from $SPLUNK_HOME/etc/apps/search/local/data/ui/views/flashtimeline.xml
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
  <param name="segmentation">full</param>
  <param name="reportFieldLink">report_builder_format_report</param>
  <!-- Override display # of lines to 1000 -->
  <param name="maxLines">0</param>
  <param name="maxLinesConstraint">1000</param>

View solution in original post

Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

Contributor

hazekamp, thank you very much. it really works

0 Karma
Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

Champion

Which version(s) does this apply to? It doesn't appear to work in version 5.0.3 -- I'm still being limited by UI displaying only most relevant 500 lines despite this modification.

0 Karma
Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

New Member

I am using version 5.0.3.
The maximum number that I can specify is 500. An error message will show, if I put the greater number than that.

Any recommendation on this please.

0 Karma
Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

Path Finder

This looks very promising, but I can't find the relevent section of flashtimeline.xml in the "default" dir. My guess is they have changed how this is done. This is versin 6.5 .

0 Karma
Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

Builder

Yes, flashtimeline.xml (the original advanced xml implementation of the search page) is no longer valid. I'm not 100% certain what this looks like in modern versions, but I can dig a bit.

0 Karma
Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

New Member

Awesome tip. I would be great if the limit was part of the limits.conf configuration. As is, it has to be changed for every new release.

0 Karma
Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

Splunk Employee
Splunk Employee

Nothing stops you from copying flashtimeline.xml to a different view/app and making your changes there. Then they would not get overridden.

0 Karma
Highlighted

Re: Show most relevant lines (Exceeds 500 limit)

Motivator

https://answers.splunk.com/answers/243049/show-all-lines-for-windows-event-log-events.html#answer-32...

Directly above the data and below the timeline (on the Event tab and beneath tab with the word "Visualization") there is a "Format" Option where you can set "Max Lines" to "All lines"

0 Karma