Solved: How to view all sources

super_saiyan · ‎04-28-2022

hello everyone,

i ran a search query and in "source" section i can see 100+ results.

but when i clicked on it i was only able to see 10 sources.

how can i see / view all sources ?

PickleRick · ‎04-28-2022

The list of fields on the left shows only fields which are present in a certain percentage of returned events (at least 20% if I'm not mistaken). And if you click o them you indeed get top 10 values for each field.

This is useful for a quick overview and initial exploration of your data but to get some more specific results, you have to search for them explicitly.

In your case you might wan to do

<your_search> | stats values(source)

or

<your_search> | stats count by source

View solution in original post

isoutamo · ‎04-28-2022

Hi

you cannot see those on that box. But you could write SPL to see those. One simple way is e.g.

...
| dedup source
| table source

There are lot of different queries which you could do for this.
r. Ismo

PickleRick · ‎04-28-2022

The list of fields on the left shows only fields which are present in a certain percentage of returned events (at least 20% if I'm not mistaken). And if you click o them you indeed get top 10 values for each field.

This is useful for a quick overview and initial exploration of your data but to get some more specific results, you have to search for them explicitly.

In your case you might wan to do

<your_search> | stats values(source)

or

<your_search> | stats count by source

How to view all sources

troubleshooting

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies