Dashboards & Visualizations

How do I put over 100 results into one line?

jkcadaing
New Member

Good morning Splunkers!

I need help please! I am working on a dashboard that shows a list of MAC Addresses and sometimes the list is over 100 different addresses depending on the area.

So basically, I need to take multiple rows and put them into one line. I have a table that utilizes the nomv command, but it limits the MAC Addresses to 100. I use this table to drilldown to a custom URL, which is another Splunk instance that passes the list of MAC Addresses into another search for further processing.

Below is what I have to place colons between every two characters of an unformatted MAC Address then throws it into a stats command to list and add " OR " between each one and finally, the nomv takes multivalue fields and puts it into one row. I've played around with using the head and tail command to get as much as I can, however, it is not enough and gives some duplicates if less than 200.

| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6") 
| stats list(MAC_Address) as MAC_Address delim=" OR " 
| nomv MAC_Address

I was wondering if there is another command/way that will allow me to take more than 100 and put them into one line to pass through? I am open to other methods such as scripting to accomplish this.

0 Karma
1 Solution

FrankVl
Ultra Champion

If you want to take a list of mac addresses and format it as a (part of a) search string, use the format command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

e.g.:

...
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6") 
| fields MAC_Address
| format

Though this results in MAC_Address=x:x:x:x OR MAC_Address=a:b:c:d etc. So if you don't want that MAC_Address= part, you would have to strip that out again.

View solution in original post

0 Karma

FrankVl
Ultra Champion

If you want to take a list of mac addresses and format it as a (part of a) search string, use the format command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

e.g.:

...
| eval MAC_Address=replace(MacAddress, "(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})", "\1:\2:\3:\4:\5:\6") 
| fields MAC_Address
| format

Though this results in MAC_Address=x:x:x:x OR MAC_Address=a:b:c:d etc. So if you don't want that MAC_Address= part, you would have to strip that out again.

0 Karma

jkcadaing
New Member

Thank you for the quick reply! The command works good, but I've found anything over 150 causes a 414 Request-URI Too Large error haha.

Wondering maybe is there a way to select 0-100, 101-200, 201-300, etc?

0 Karma

FrankVl
Ultra Champion

Right, your problem is with passing this to a URL that is called as a drilldown. You might need to run the sub search that generates the list of mac addresses again as part of the drilldown, rather than passing the list along.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...