Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

no of events in show_source view

smolcj
Builder
‎01-21-2013 10:01 PM

hi,
the default number of events displayed in show source are 25,50,100,200,500,1000.
Can i change it so that i can see all the events in my source file,there are nearly 7000 events in my source file. i tried changing the static options defined in Show_source view. but is of no change, can somebody help me.
Please help
Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-13-2013 10:04 PM

You can change the show_source view's XML, so as to add higher row numbers like 10000, and in some cases such a change will result in 10,000 or more rows being displayed. Technically it will display 10,000 rows before the selected event and 10,000 rows after, for a total event count of 20,001.

However I do not think this is generally possible for all distributions of events in time. I can reproduce cases where it will indeed render 20,001 events. However I can also find lots of cases where it gives up before reaching those numbers. Above about 1000, Show source will not necessarily go and get all the 10,000 rows that the user has asked for, because it may find the request difficult to fulfill and it may assume from that that there are no more events to get when in fact there are.

Long version: Show source in the Splunk Search app is implemented using an obscure argument in the REST API, and one that is undocumented. You can look into ShowSource.py, or just read the splunkd_access log to see the requests that get made back to splunkd to fulfill show-source requests. There is an "surrounding=1" argument that gets passed, even though such an argument is not documented in the official rest api docs.

/services/search/jobs/1360821045.803/events?latest_time=1338534000&max_lines=500&surrounding=1&count=10000&field_list=_raw%2Ctarget%2CMSG_TYPE%2CMSG_CONTENT%2C_decoration&offset=90&show_empty_fields=True&output_mode=json&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S%25z

http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

Note the surrounding=1 argument in the splunkd_access log snippet posted above. surrounding=1 tells the API that instead of getting the events for this search result, it should go to offset=90 of the current search result, get that one event, get the 'source' and 'host' field values of that event, and then do a separate search in the index for other events that have that source and host, that are nearby in time. Starting from that point and going backward in time to get the events is a piece of cake for Splunk, but starting from that point and going forward in a historical sense, is a bit harder. And I think in this implementation if it finds itself struggling, it allows itself to give up before it's actually reached the 10,000 mark or whatever you've set for it.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-13-2013 10:04 PM

You can change the show_source view's XML, so as to add higher row numbers like 10000, and in some cases such a change will result in 10,000 or more rows being displayed. Technically it will display 10,000 rows before the selected event and 10,000 rows after, for a total event count of 20,001.

However I do not think this is generally possible for all distributions of events in time. I can reproduce cases where it will indeed render 20,001 events. However I can also find lots of cases where it gives up before reaching those numbers. Above about 1000, Show source will not necessarily go and get all the 10,000 rows that the user has asked for, because it may find the request difficult to fulfill and it may assume from that that there are no more events to get when in fact there are.

Long version: Show source in the Splunk Search app is implemented using an obscure argument in the REST API, and one that is undocumented. You can look into ShowSource.py, or just read the splunkd_access log to see the requests that get made back to splunkd to fulfill show-source requests. There is an "surrounding=1" argument that gets passed, even though such an argument is not documented in the official rest api docs.

/services/search/jobs/1360821045.803/events?latest_time=1338534000&max_lines=500&surrounding=1&count=10000&field_list=_raw%2Ctarget%2CMSG_TYPE%2CMSG_CONTENT%2C_decoration&offset=90&show_empty_fields=True&output_mode=json&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S%25z

http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7...

Note the surrounding=1 argument in the splunkd_access log snippet posted above. surrounding=1 tells the API that instead of getting the events for this search result, it should go to offset=90 of the current search result, get that one event, get the 'source' and 'host' field values of that event, and then do a separate search in the index for other events that have that source and host, that are nearby in time. Starting from that point and going backward in time to get the events is a piece of cake for Splunk, but starting from that point and going forward in a historical sense, is a bit harder. And I think in this implementation if it finds itself struggling, it allows itself to give up before it's actually reached the 10,000 mark or whatever you've set for it.

Reply
Solved! Jump to solution

smolcj
Builder
‎02-12-2013 03:42 AM

Please help me to fix this,,
i want to show my entire log through show source, but now i am able to show only last 1000 rows
please help

0 Karma
Reply
Solved! Jump to solution

smolcj
Builder
‎01-23-2013 01:36 AM

7000
when i am trying this option under showsource module i am getting a statement like
Show source not available for this event..
Any thoughts
please help

0 Karma
Reply
Solved! Jump to solution

smolcj
Builder
‎01-22-2013 02:23 AM

Version 5.0.1..

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎01-22-2013 01:32 AM

What version of Splunk are you using?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...