Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display the source for every event in search results without clicking drop-down?

webberw
New Member
‎04-22-2020 09:07 AM

Is there a way to show the source for an event in the results for a search? I am wanting to see the complete source for every row of the results. Put simply the information you would see for a selected row when you manually click into event by "Event actions --> Show Source" and get a fresh page that shows the source info. I'm looking to see that info for every row on the screen.
I understand how to 'Pick one row, then click that dropdown to see the source'.

Please note the below does not answer the question. The answer below tells how to 'for each' manually see the source for one event (the one you click into): https://answers.splunk.com/answers/289234/how-to-display-the-entire-source-under-each-event.html

Thanks!
Will-

0 Karma
Reply

darrenfuller
Contributor
‎04-22-2020 09:47 AM

You're right, when you use table, it does eliminate line breaks... but they are still there just not being displayed properly.

Try this: 

index=INDEX
| rex max_match=0 "^(?<rawlines>.+)\n+" 
| eval newraw=mvindex(rawlines,0,-1) 
| table newraw
0 Karma
Reply

webberw
New Member
‎04-22-2020 10:09 AM

Oddly....This search yields what looks like empty/blank results: 

index=myindex  "NullPointerException"  | rex max_match=0 "^(?.+)\n+" | eval newraw=mvindex(rawlines,0,-1) | table newraw

Whereas this old 'manual query' I have been using before posting here yields rows where I can manually click into each one and see the source:

index=myindex  "NullPointerException"

Results now: https://imgur.com/a/iu9Vqtj

0 Karma
Reply

manjunathmeti
Champion
‎04-22-2020 09:26 AM

You can use _raw field. 

index=INDEX  | table _raw
0 Karma
Reply

webberw
New Member
‎04-22-2020 09:33 AM

Thank you for that quick answer. But that does not seem to show the exact same info. Manually clicking "Event actions --> Show Source" for a result row seems to include information spanning across line breaks that happen inside the log entry. That is, you see a full stacktrace even though the stacktrace has linebreaks. Whereas adding "table _raw" does not show all those lines.

0 Karma
Reply

manjunathmeti
Champion
‎04-22-2020 12:22 PM

"Event actions --> Show Source" is a workflow action and a workflow action can only be created at event-level (meaning they apply to an entire event), field-level (meaning they apply to specific fields within events), or both. You cannot create it for all events.

Check this:https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/CreateworkflowactionsinSplunkWeb

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top