Dashboards & Visualizations

Limit the number of row in a multivalue column in a dashboard

BakaFon
Loves-to-Learn Everything

Hello,

I need to limit the number of value shown in a multivalue column in a dashboard. This was possible using advanced xml using this option:

<module name="SimpleResultsTable">                                                               
 <param name="allowTransformedFieldSelect">True</param>                                                               
 <param name="count">10</param>

But I fail to see how to do it in simple xml now that advanced xml is deprecated

it should look like something like this 

Screenshot 2022-02-07 145941.png

There is a way to do this using classic dashboard on newer version of splunk that no longer support advanced xml?

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BakaFon,

you could insert in your stats command the distinct count of values for your field and, if it exceeds the limit display only the first two or three,

so if the field is dest_ip and you want to display only the first three, you could use something like this:

index=your_index
| stats values(ip_dest) AS ip_dest dc(ip_dest) AS dc_ip_dest By host
| eval ip_dest=if(dc_ip_dest>3,"More IP dest",ip_dest)

Ciao.

Giuseppe

0 Karma

BakaFon
Loves-to-Learn Everything

I forgot to mention that if I click on the more value it actually expand and show  them all so I can't use your solution because I won't be be to read all the values

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BakaFon,

I implemented the feature you want, making on click a drilldown in another dashboard or in another panel where all the results are displayed.

You can do this passing the filter parameters of your search buit without the check on the number of multivalues.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...