Splunk Search
Highlighted

How to collapse unneeded lines in the search result for a very long event?

Splunk Employee
Splunk Employee

Search string "mismatch".

The single event is about 2-3K lines or more. In the lines of text there are 5 lines with the text "mismatch". A search on the word "mismatch" display all lines and not just the lines with mismatch.

How to collapse unneeded lines in the search result?

Tags (1)
Highlighted

Re: How to collapse unneeded lines in the search result for a very long event?

Super Champion

There are a couple different approaches, none of which I'm a big fan of.

  1. Turn _raw into a multi-value field and then filter out any line without "mismatch" in in:

    ... | eval tmp_raw=split(_raw, "\n") | eval tmp_raw=mvfilter(match(tmp_raw,"\bmismatch\b") | eval _raw=mvjoin(tmp_raw,"\n")

    (You could do all of this in one eval but for the purposes of demonstration and clarity, I've slit it out into multiple steps.

  2. Extract out the individual mismatch lines with rex

    ... | rex max_match=100 "?(m)^(?<wanted_line>.*\bmismatch\b.*)$" | eval _raw=(wanted_lines, "\n")

I wasn't able to test either of these, so there could be typos/bugs... but perhaps this will give you a place to start.


You may need to swap out your end of line characters first. (Not 100% sure either way) Here is an example that uses the term --BREAKER-- (which you should use, if your events happen to already contain that phase, but most likely, they will not).

... | rex mode=sed "s/\r?\n/--BREAKER--/g" | eval raw_lines=split(_raw, "--BREAKER--") | mvexpand raw_lines | mvfilter(match(tmp_raw,"\bmismatch\b") | eval _raw=mvjoin(tmp_raw,"\n")`
0 Karma
Highlighted

Re: How to collapse unneeded lines in the search result for a very long event?

Splunk Employee
Splunk Employee

Is the event actually multiple lines (separated with newlines/carriage returns) merged into one event, or is it just one really long line that Splunk breaks on display?

0 Karma
Highlighted

Re: How to collapse unneeded lines in the search result for a very long event?

Splunk Employee
Splunk Employee

One event that is 2-3k-line-long. Splunk displays the entire event with "mismatch" word highlighted. What is wanted: just show lines that have the word "mismatch" highlighted.

0 Karma
Highlighted

Re: How to collapse unneeded lines in the search result for a very long event?

SplunkTrust
SplunkTrust

If you're referring to the behaviour in the UI, it really should be collapsing huge multiline events for you by default, unless it's set specifically to show 'all'.

With the search UI showing you events, click 'options' just above the events, and in the popup that opens, check whether 'lines per event' is set to 'all'...

it may be possible you set it once long ago and forgot about it?

Highlighted

Re: How to collapse unneeded lines in the search result for a very long event?

Splunk Employee
Splunk Employee

"options" doesn't make any difference for the user. we tried it 😞

0 Karma
Highlighted

Re: How to collapse unneeded lines in the search result for a very long event?

SplunkTrust
SplunkTrust

Hm. it sounds like a bug then. Not sure what else could explain it. Unless the individual lines are incredibly long, and there really are only 5 or 10 lines there and they're just wrapping a lot.

0 Karma