Hello,
I need to limit the number of value shown in a multivalue column in a dashboard. This was possible using advanced xml using this option:
<module name="SimpleResultsTable">
<param name="allowTransformedFieldSelect">True</param>
<param name="count">10</param>
But I fail to see how to do it in simple xml now that advanced xml is deprecated
it should look like something like this
There is a way to do this using classic dashboard on newer version of splunk that no longer support advanced xml?
Hi @BakaFon,
you could insert in your stats command the distinct count of values for your field and, if it exceeds the limit display only the first two or three,
so if the field is dest_ip and you want to display only the first three, you could use something like this:
index=your_index
| stats values(ip_dest) AS ip_dest dc(ip_dest) AS dc_ip_dest By host
| eval ip_dest=if(dc_ip_dest>3,"More IP dest",ip_dest)
Ciao.
Giuseppe
I forgot to mention that if I click on the more value it actually expand and show them all so I can't use your solution because I won't be be to read all the values
Hi @BakaFon,
I implemented the feature you want, making on click a drilldown in another dashboard or in another panel where all the results are displayed.
You can do this passing the filter parameters of your search buit without the check on the number of multivalues.
Ciao.
Giuseppe