Getting Data In

How to display the source for every event in search results without clicking drop-down?

New Member

Is there a way to show the source for an event in the results for a search? I am wanting to see the complete source for every row of the results. Put simply the information you would see for a selected row when you manually click into event by "Event actions --> Show Source" and get a fresh page that shows the source info. I'm looking to see that info for every row on the screen.
I understand how to 'Pick one row, then click that dropdown to see the source'.

Please note the below does not answer the question. The answer below tells how to 'for each' manually see the source for one event (the one you click into): https://answers.splunk.com/answers/289234/how-to-display-the-entire-source-under-each-event.html

Thanks!
Will-

0 Karma

Contributor

You're right, when you use table, it does eliminate line breaks... but they are still there just not being displayed properly.

Try this:

index=INDEX
| rex max_match=0 "^(?<rawlines>.+)\n+" 
| eval newraw=mvindex(rawlines,0,-1) 
| table newraw
0 Karma

New Member

Oddly....This search yields what looks like empty/blank results:

index=myindex  "NullPointerException"  | rex max_match=0 "^(?.+)\n+" | eval newraw=mvindex(rawlines,0,-1) | table newraw

Whereas this old 'manual query' I have been using before posting here yields rows where I can manually click into each one and see the source:

index=myindex  "NullPointerException" 

Results now: https://imgur.com/a/iu9Vqtj

0 Karma

Influencer

You can use _raw field.

index=INDEX  | table _raw
0 Karma

New Member

Thank you for that quick answer. But that does not seem to show the exact same info. Manually clicking "Event actions --> Show Source" for a result row seems to include information spanning across line breaks that happen inside the log entry. That is, you see a full stacktrace even though the stacktrace has linebreaks. Whereas adding "table _raw" does not show all those lines.

0 Karma

Influencer

"Event actions --> Show Source" is a workflow action and a workflow action can only be created at event-level (meaning they apply to an entire event), field-level (meaning they apply to specific fields within events), or both. You cannot create it for all events.

Check this:https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/CreateworkflowactionsinSplunkWeb

0 Karma