- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Need to Change the Max Lines from 5 to 20
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to Change the Max Lines from 5 to 20
Hi Team,
Our Splunk Search heads are hosted in Cloud and managed by Support and currently we are running with the latest version (9.1.2308.203).
This pertains to the Max Lines setting in the Format section of the Search and Reporting App.
Previously, Splunk defaulted to displaying 20 or more lines in search results within the Search and Reporting App. As an administrator responsible for extracting Splunk logs across various applications over the years, I never encountered the need to expand brief search results, to read all lines. However, in the recent weeks, possibly following an upgrade of the Splunk Search heads, I've observed that each time I open a new Splunk search window or the existing Splunk tab times out and auto-refreshes, the Format > Max Lines option is reset to 5. Consequently, I find myself changing it after nearly every search, which has become cumbersome.
Therefore, Kindly guide me on how to change the default value to 20 from 5 in the Search and Reporting App on both Search heads? This adjustment would alleviate the challenge faced by most of our customers and end-users who find it cumbersome to modify it for each search.
So kindly help on my requirement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @anandhalagaras1
I believe that while changing the default value directly may not be possible, we can still achieve the desired outcome. Instead of adjusting the default setting, we can create a scheduled search with the preferred value of 20. This means that whenever the search is scheduled to run, it will automatically use the desired setting without needing to be manually adjusted each time. This ensures a consistent experience for users without worrying about the default value being reset.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your prompt response. But actually it needs to be updated for each and every search and all users want to have the default as 20 instead of 5. So our Search head is hosted in Cloud and I have tried to create an app with ui-prefs.conf but most of the time i got an error during app vetting process. But at some point of time the app has been deployed successfully and we have restarted the Search head and once again when we navigate and checked the max lines its still the same.
display.events.maxLines = 20
I can able to do it in the default directory whereas when i do from local its getting error. So kindly let me know how to achieve it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @anandhalagaras1 ,
If you're creating a custom app, you'll need to write the configuration in your default directory; otherwise, it will give you an error during validation, and the app won't pass the vetting process in Splunk Cloud.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I have developed an app and placed them in the default ui[prefs.conf and after app vetting process also it didnt worked. Need your inputs on the same please. I have also restarted the Splunk cloud search head instance but still the same.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
