Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display the source for every event in search results without clicking drop-down?

webberw
New Member
‎04-22-2020 09:07 AM

Is there a way to show the source for an event in the results for a search? I am wanting to see the complete source for every row of the results. Put simply the information you would see for a selected row when you manually click into event by "Event actions --> Show Source" and get a fresh page that shows the source info. I'm looking to see that info for every row on the screen.
I understand how to 'Pick one row, then click that dropdown to see the source'.

Please note the below does not answer the question. The answer below tells how to 'for each' manually see the source for one event (the one you click into): https://answers.splunk.com/answers/289234/how-to-display-the-entire-source-under-each-event.html

Thanks!
Will-

0 Karma
Reply

darrenfuller
Contributor
‎04-22-2020 09:47 AM

You're right, when you use table, it does eliminate line breaks... but they are still there just not being displayed properly.

Try this: 

index=INDEX
| rex max_match=0 "^(?<rawlines>.+)\n+" 
| eval newraw=mvindex(rawlines,0,-1) 
| table newraw
0 Karma
Reply

webberw
New Member
‎04-22-2020 10:09 AM

Oddly....This search yields what looks like empty/blank results: 

index=myindex  "NullPointerException"  | rex max_match=0 "^(?.+)\n+" | eval newraw=mvindex(rawlines,0,-1) | table newraw

Whereas this old 'manual query' I have been using before posting here yields rows where I can manually click into each one and see the source:

index=myindex  "NullPointerException"

Results now: https://imgur.com/a/iu9Vqtj

0 Karma
Reply

manjunathmeti
SplunkTrust
SplunkTrust
‎04-22-2020 09:26 AM

You can use _raw field. 

index=INDEX  | table _raw
0 Karma
Reply

webberw
New Member
‎04-22-2020 09:33 AM

Thank you for that quick answer. But that does not seem to show the exact same info. Manually clicking "Event actions --> Show Source" for a result row seems to include information spanning across line breaks that happen inside the log entry. That is, you see a full stacktrace even though the stacktrace has linebreaks. Whereas adding "table _raw" does not show all those lines.

0 Karma
Reply

manjunathmeti
SplunkTrust
SplunkTrust
‎04-22-2020 12:22 PM

"Event actions --> Show Source" is a workflow action and a workflow action can only be created at event-level (meaning they apply to an entire event), field-level (meaning they apply to specific fields within events), or both. You cannot create it for all events.

Check this:https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/CreateworkflowactionsinSplunkWeb

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...