Dashboards & Visualizations

fix loss of text formatting in dashboard table field/column in simple xml

altink
Builder

Hello

I find difficult to proper display relatively large text fields in dashboard tables - simple xml

New lines are lost when displayed in dashboard table column, while being correct in the raw event.
Data comes as XML, the field is CTRL_OUTPUT

Below is some record content of column CTRL_OUTPUT as it shows on the Dashboard table:

OMEGACAADM DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTAPP01 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTDBA01 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTDEV01 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGACATESTDEV02 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL OMEGADBSCAN DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL SYS DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST1 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST2 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST3 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST4 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL TEST5 DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION NULL

Below is the Raw event:

<SCAN_ID>20170714_210278_Ora_DB_T01_y</SCAN_ID><DB_NAME>Ora Test DB 01</DB_NAME><DB_HOST>db_test</DB_HOST><VLN_ID>10</VLN_ID><VLN_NAME>User Profile - Password Verify Function</VLN_NAME><SEVERITY_ID>2</SEVERITY_ID><SEVERITY_NAME>Medium</SEVERITY_NAME><CATEGORY_ID>0</CATEGORY_ID><CATEGORY_NAME>Authentication</CATEGORY_NAME><SCAN_CODE_ID>0</SCAN_CODE_ID><SCAN_CODE_NAME>Completed</SCAN_CODE_NAME><SCAN_MESSAGE>Completed</SCAN_MESSAGE><CTRL_FIND_ID>1</CTRL_FIND_ID><CTRL_FIND_NAME>Finding</CTRL_FIND_NAME><CTRL_SUMMARY>OMEGACAADM,OMEGACATESTAPP01,OMEGACATESTDBA01,OMEGACATESTDEV01,OMEGACATESTDEV02,OMEGADBSCAN,SYS,TEST1,TEST2,TEST3,TEST4,TEST5</CTRL_SUMMARY><CTRL_OUTPUT>OMEGACAADM
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTAPP01
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTDBA01
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTDEV01
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGACATESTDEV02
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
OMEGADBSCAN
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
SYS
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST1
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST2
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST3
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST4
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
TEST5
DEFAULT -> PASSWORD -> PASSWORD_VERIFY_FUNCTION
NULL
</CTRL_OUTPUT>
Collapse

As it is seen above, the formatting (new lines) of the CTRL_OUTPUT is preserved in raw event, but it is lost in dashboard table display.
Can this be fixed ?

best regards
Altin

Tags (1)
1 Solution

woodcock
Esteemed Legend

This is truly obnoxious default and inescapable behavior by Splunk: displaying newlines as spaces. I hate it. The ONLY work-around it is to convert your field into a multi-valued field by adding this to the end:

 

| makemv delim="
" CTRL_OUTPUT

 

 

View solution in original post

Yunagi
Communicator

I had the same issue when displaying vulnerability scan results (Nessus) in a dashboard table. The formatting looked weird.

The accepted answer from @woodcock helped a little, but the formatting still looked weird: Multiple adjacent space characters are truncated to only one space character and paragraphs (two or more adjacent new lines) are truncated to one new line.

I found another fix involving the CSS element "white-space: pre", similar to this question.

First, I created the following css file in etc/apps/myapp/appserver/static/myapp-format.css

#table1 .table td:nth-child(3) {
   white-space: pre !important;
}

This will format the third column in the table. Next, I edited the dashboard XML as follows:

<form stylesheet="myapp-format.css">
...
  <row>
    <panel>    
      <table id="table1">
...

I had to restart Splunk and clear the cache of my web browser for the changes to take effect.

woodcock
Esteemed Legend

This is truly obnoxious default and inescapable behavior by Splunk: displaying newlines as spaces. I hate it. The ONLY work-around it is to convert your field into a multi-valued field by adding this to the end:

 

| makemv delim="
" CTRL_OUTPUT

 

 

woodcock
Esteemed Legend

WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT.  The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">.  If you do that, it works.

0 Karma

altink
Builder

Hello Mr. woodcock

I tried your command above but it didn't make any difference.

     | makemv delim="
     " CTRL_OUTPUT

However Splunk did recognize the presence of an Enter/New Line by some red highlighting.

best regards
Altin

0 Karma

woodcock
Esteemed Legend

WARNING!   The new website is broken and cannot display newlines inside of double-quotes, even as a "code snippet" which is also moronic and inexcusable.  So while my correct answer looked fine and worked in the old answers site, the new one cannot be made to display a correct answer so I am going to DESSCRIBE IT.  The space that you see in the double-quotes is actually supposed to be a newline as in <"></n><">.  If you do that, it works.  The stupid site is also forcing me to add an app, even this this Q/A has nothing to do with any app.

0 Karma

altink
Builder

Truly obnoxious.
I wander how one can work this way with fields of kind memo/clob.

I wish Splunk does something on this.

Thank you very much Mr. woodcock

0 Karma

woodcock
Esteemed Legend

You can open an Enhancement Request as a P1 support case.

0 Karma

altink
Builder

thank you Sir,

but I guess I am not the first guy who wants to see a memo or clob field inside the table, long as it may be, but at least properly formatted.

I am not looking for a memo with scroll-bars popping on click per each record cell, built in dashboard table, 🙂

but if this is not done so far, I am not aiming so high,
:-)

thank you very much for helping me
best regards
Altin

woodcock
Esteemed Legend

I agree that the request is very reasonable but scroll-bars with a setting for #rows to show would be nice, too!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...