Dashboards & Visualizations

can I have a multiline search box?

Alan_Bradley
Path Finder

It'd be cool if I could add some line breaks to my search so that visual inspection of what I was typing was a little easier on the eyes. Can this be done?

Tags (1)
1 Solution

matt
Splunk Employee
Splunk Employee

You can type shift-enter in the search bar to add a line break. The search bar will open to a max of 4 lines.

View solution in original post

Lowell
Super Champion

Just as a word of warning. Multi-line searches can cause some problems in some of splunk's internal logs. This is mostly due to props settings for the log files. Normally this shows up as time-stamping errors in the splunkd.log source.

For example, the auditrail, splunkd, and searches (I think) sourcetypes are not setup for multi-line events. And in some places the multi-line searches get logged across lines which causes the timestamping issue. Other times, the searches get wrapped as a single line, and this isn't a problem. (I tracked this down once, I think. But can't remember what the common factor was as to when this seems to happen.)

In my own config, I've added SHOULD_LINEMERGE = True to these sourcetypes to make this problem go away. (I realize this probably isn't as efficient, but it seemed like the best workaround)

matt
Splunk Employee
Splunk Employee

You can type shift-enter in the search bar to add a line break. The search bar will open to a max of 4 lines.

matt
Splunk Employee
Splunk Employee

Good to know. Thanks for the clarification

0 Karma

Johnvey
Contributor

Your search can be as many lines as you want -- the 4 line limit is just how big the textarea will grow.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...