Knowledge Management

Why does "show source" omit lines

davidstuffle
Path Finder

We have large events that show the entire event data, but when we select "show source" it shows several omitted lines.

Example:

                <DateCreated>2018-06-11T08:52:45</DateCreated>
                <AttachmentData>
                  <TXLife Version="2.25.00">
                    <TXLifeResponse PrimaryObjectID="Holding_1_1"> 
... 151 lines omitted ...
                    </TXLifeResponse>
                  </TXLife>
                </AttachmentData>
                <AttachmentType tc="MIBResults">System - MIB Result</AttachmentType>

The data is not omitted in the actual event, but just in the "show source".

Here are settings we have from the limits.conf:
[show_source]

maximum events retriveable by show source

max_count = 20000
max_timebefore = 1day
max_timeafter = 1day
distributed = true
distributed_search_limit = 30000

Any idea how to make it show all the lines?

David

Tags (1)
0 Karma

niketn
Legend

@davidstuffle, Show Source is System Get Workflow Action which works with Event having internal field _cd. Refer to documentation for detail.

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usespecialparametersinworkflowactions#...

Alternatively you can create your own GET or Search Workflow Action similar to Show Source, depending on whether you want your users to land in Search Screen or not (may be a read only dashboard). For example:
A search Workflow Action can perform | loadjob $@sid$| table _raw to show raw events in a tabular format.

Refer to documentation on creating GET or Search Workflow Action

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

davidstuffle
Path Finder

Thanks, and I'll look in to this further. So, is it correct to say that it's working as designed and there is not an option to change this behavior other than creating our own Workflow Action?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

What was the base search used? Feel free to replace sensitive content. I'm curious if this is just a factor of what is being searched for and the results set displaying it in accordance. It might not, but I wanna due diligence to be safe.

0 Karma

niketn
Legend

@davidstuffle since that is a System built capability, I expect so. If you have Splunk Entitlement, you can definitely put in an enhancement request for the capability to expand the view if required. However, faster and better approach would be to create your own Workflow action and show the results as a table on maybe a read only dashboard with no drilldown.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sloshburch
Splunk Employee
Splunk Employee

(Converted this to an answer because I think it's a bazillion times better than how I was trying to approach this.)

niketn
Legend

Thanks @SloshBurch... Means alot 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sloshburch
Splunk Employee
Splunk Employee

That's actually just a rendering that adjusts based on the search you performed. Back in the search results there should be a link under the event to show/expand all of the source. Sometimes, based on the keywords in the search results, the source may be collapsed.

Would you post a screenshot of the Splunk UI before you select Show Source? We should see the option there to get more details and work on the question from there.

For what it's worth, you made me realize that when I first started with Splunk, I used the Show Source a lot, because seeing all the events was most familiar and natural to me. Now I recognize that I can't remember the last time I used that feature! I think the reason is because grew more comfortable with Splunk's keyword searching and other SPL commands that allowed me to more rapidly find what I needed. Anyway, I share that perspective in case it helps us re-approach the search you are exploring thereby making this particular question (about show source) less important.

0 Karma

davidstuffle
Path Finder

I'm not seeing how to upload screenshots at the moment...

The original/initial search results show "...xx lines omitted..." several times. At the bottom of the condensed results, I select "Show all 4989 lines". Then the entire event shows all the line just fine. Then I select "Event Actions" - "Show Source" and the source shows several "...xx lines omitted..." in the source view.

The users are using some kind of automation that requires the "show source" view which is why this is an issue for us.

0 Karma

niketn
Legend

@davidstuffle, you can upload image to image sharing sites like imgur (Ensure that you mask/anonymize all sensitive data before uploading the image).

Then on Splunk Answers use the Image Button <img> or Shortcut key Ctrl +G to post image using the image URL.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Thanks for the explanation. Maybe screenshots not possible until you hit certain karma level (usage) of answers.splunk.com.

Could you share a generic version of the search that produces this result? And explain what the scenario is for those end users such that they are using Show Source?

I think that detail will help uncover what's going on.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...