We have large events that show the entire event data, but when we select "show source" it shows several omitted lines.
Example:
<DateCreated>2018-06-11T08:52:45</DateCreated>
<AttachmentData>
<TXLife Version="2.25.00">
<TXLifeResponse PrimaryObjectID="Holding_1_1">
... 151 lines omitted ...
</TXLifeResponse>
</TXLife>
</AttachmentData>
<AttachmentType tc="MIBResults">System - MIB Result</AttachmentType>
The data is not omitted in the actual event, but just in the "show source".
Here are settings we have from the limits.conf:
[show_source]
max_count = 20000
max_timebefore = 1day
max_timeafter = 1day
distributed = true
distributed_search_limit = 30000
Any idea how to make it show all the lines?
David
@davidstuffle, Show Source is System Get Workflow Action which works with Event having internal field _cd
. Refer to documentation for detail.
Alternatively you can create your own GET or Search Workflow Action
similar to Show Source, depending on whether you want your users to land in Search Screen or not (may be a read only dashboard). For example:
A search Workflow Action can perform | loadjob $@sid$| table _raw
to show raw events in a tabular format.
Refer to documentation on creating GET or Search Workflow Action
Thanks, and I'll look in to this further. So, is it correct to say that it's working as designed and there is not an option to change this behavior other than creating our own Workflow Action?
What was the base search used? Feel free to replace sensitive content. I'm curious if this is just a factor of what is being searched for and the results set displaying it in accordance. It might not, but I wanna due diligence to be safe.
@davidstuffle since that is a System built capability, I expect so. If you have Splunk Entitlement, you can definitely put in an enhancement request for the capability to expand the view if required. However, faster and better approach would be to create your own Workflow action and show the results as a table on maybe a read only dashboard with no drilldown.
(Converted this to an answer because I think it's a bazillion times better than how I was trying to approach this.)
Thanks @SloshBurch... Means alot 🙂
That's actually just a rendering that adjusts based on the search you performed. Back in the search results there should be a link under the event to show/expand all of the source. Sometimes, based on the keywords in the search results, the source may be collapsed.
Would you post a screenshot of the Splunk UI before you select Show Source? We should see the option there to get more details and work on the question from there.
For what it's worth, you made me realize that when I first started with Splunk, I used the Show Source a lot, because seeing all the events was most familiar and natural to me. Now I recognize that I can't remember the last time I used that feature! I think the reason is because grew more comfortable with Splunk's keyword searching and other SPL commands that allowed me to more rapidly find what I needed. Anyway, I share that perspective in case it helps us re-approach the search you are exploring thereby making this particular question (about show source) less important.
I'm not seeing how to upload screenshots at the moment...
The original/initial search results show "...xx lines omitted..." several times. At the bottom of the condensed results, I select "Show all 4989 lines". Then the entire event shows all the line just fine. Then I select "Event Actions" - "Show Source" and the source shows several "...xx lines omitted..." in the source view.
The users are using some kind of automation that requires the "show source" view which is why this is an issue for us.
@davidstuffle, you can upload image to image sharing sites like imgur
(Ensure that you mask/anonymize all sensitive data before uploading the image).
Then on Splunk Answers use the Image Button <img>
or Shortcut key Ctrl +G
to post image using the image URL.
Thanks for the explanation. Maybe screenshots not possible until you hit certain karma level (usage) of answers.splunk.com.
Could you share a generic version of the search that produces this result? And explain what the scenario is for those end users such that they are using Show Source?
I think that detail will help uncover what's going on.