Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

fix loss of text formatting in dashboard table field/column in simple xml

altink
Builder
‎08-05-2017 11:29 AM

Hello

I find difficult to proper display relatively large text fields in dashboard tables - simple xml

New lines are lost when displayed in dashboard table column, while being correct in the raw event.
Data comes as XML, the field is CTRL_OUTPUT

Below is some record content of column CTRL_OUTPUT as it shows on the Dashboard table:

OMEGACAADM DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTAPP01 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTDBA01 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTDEV01 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTDEV02 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGADBSCAN DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL SYS DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST1 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST2 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST3 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST4 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST5 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL

Below is the Raw event:

<SCAN_ID>20170714_210278_Ora_DB_T01_y</SCAN_ID><DB_NAME>Ora Test DB 01</DB_NAME><DB_HOST>db_test</DB_HOST><VLN_ID>10</VLN_ID><VLN_NAME>User Profile - Password Verify Function</VLN_NAME><SEVERITY_ID>2</SEVERITY_ID><SEVERITY_NAME>Medium</SEVERITY_NAME><CATEGORY_ID>0</CATEGORY_ID><CATEGORY_NAME>Authentication</CATEGORY_NAME><SCAN_CODE_ID>0</SCAN_CODE_ID><SCAN_CODE_NAME>Completed</SCAN_CODE_NAME><SCAN_MESSAGE>Completed</SCAN_MESSAGE><CTRL_FIND_ID>1</CTRL_FIND_ID><CTRL_FIND_NAME>Finding</CTRL_FIND_NAME><CTRL_SUMMARY>OMEGACAADM,OMEGACATESTAPP01,OMEGACATESTDBA01,OMEGACATESTDEV01,OMEGACATESTDEV02,OMEGADBSCAN,SYS,TEST1,TEST2,TEST3,TEST4,TEST5</CTRL_SUMMARY><CTRL_OUTPUT>OMEGACAADM
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTAPP01
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTDBA01
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTDEV01
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTDEV02
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGADBSCAN
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
SYS
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST1
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST2
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST3
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST4
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST5
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
</CTRL_OUTPUT>
Collapse

As it is seen above, the formatting (new lines) of the CTRL_OUTPUT is preserved in raw event, but it is lost in dashboard table display.
Can this be fixed ?

best regards
Altin

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-06-2017 06:16 AM

This is truly obnoxious default and inescapable behavior by Splunk: displaying newlines as spaces. I hate it. The ONLY work-around it is to convert your field into a multi-valued field by adding this to the end:

 

| makemv delim="
" CTRL_OUTPUT

 

 

View solution in original post

Reply
Solved! Jump to solution

Yunagi
Communicator
‎01-10-2018 02:25 AM

I had the same issue when displaying vulnerability scan results (Nessus) in a dashboard table. The formatting looked weird.

The accepted answer from @woodcock helped a little, but the formatting still looked weird: Multiple adjacent space characters are truncated to only one space character and paragraphs (two or more adjacent new lines) are truncated to one new line.

I found another fix involving the CSS element "white-space: pre", similar to this question.

First, I created the following css file in etc/apps/myapp/appserver/static/myapp-format.css

#table1 .table td:nth-child(3) {
   white-space: pre !important;
}

This will format the third column in the table. Next, I edited the dashboard XML as follows:

<form stylesheet="myapp-format.css">
...
  <row>
    <panel>    
      <table id="table1">
...

I had to restart Splunk and clear the cache of my web browser for the changes to take effect.

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-06-2017 06:16 AM

This is truly obnoxious default and inescapable behavior by Splunk: displaying newlines as spaces. I hate it. The ONLY work-around it is to convert your field into a multi-valued field by adding this to the end:

 

| makemv delim="
" CTRL_OUTPUT

 

 

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-04-2024 02:34 PM

WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT.  The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">.  If you do that, it works.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎08-16-2017 12:48 PM

Hello Mr. woodcock

I tried your command above but it didn't make any difference. 

     | makemv delim="
     " CTRL_OUTPUT

However Splunk did recognize the presence of an Enter/New Line by some red highlighting.

best regards
Altin

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-04-2024 02:37 PM

WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT.  The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">.  If you do that, it works.  The stupid site is also forcing me to add an app, even this this Q/A has nothing to do with any app.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎08-06-2017 10:49 AM

Truly obnoxious.
I wander how one can work this way with fields of kind memo/clob.

I wish Splunk does something on this.

Thank you very much Mr. woodcock

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-06-2017 11:56 AM

You can open an Enhancement Request as a P1 support case.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎08-06-2017 01:55 PM

thank you Sir,

but I guess I am not the first guy who wants to see a memo or clob field inside the table, long as it may be, but at least properly formatted.

I am not looking for a memo with scroll-bars popping on click per each record cell, built in dashboard table, 🙂

but if this is not done so far, I am not aiming so high,
:-)

thank you very much for helping me
best regards
Altin

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-06-2017 06:42 PM

I agree that the request is very reasonable but scroll-bars with a setting for #rows to show would be nice, too!

Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...