Splunk Search

How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

chris1
Explorer

Hi,

Currently, If I search for any event in the search tab, I am getting only that particular event details from the log files. I want to get the entire source from the log file. Now to see the source file, I am clicking on the event action from that event line and clicking on "Show Source", this one gives me the entire source. Is there any way to get this source under that event itself?

Thank You!

Tags (3)
0 Karma

zhongd1
New Member

Hi,

Is there an API can get the full source ? I mean, when doing search in Splunk, I can select one result and click Event Action --> Show Source to see the full log file. Now I want to get it not in Splunk Web page but in some Linux servers via API. Is there a way to do so?

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Hard to tell what you're asking for exactly, but if you want to see the raw events (rather than the list of events with a resolved timestamp):

In the search view - run your search so that the events are displayed
Just above the events themselves there are three link style dropdowns.
By default the values are:
List / Format / 20 Per Page
Click List and note that the other menu items are "table" and "raw" you want raw, as in the raw event... the source event.

Is that what you're looking for?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

chris1
Explorer

Hi,

After we run our search, events will be displayed..Here I want to see my entire source file( log file where we are searching our events) under the resulted events...But now am using event action > show source option to check my source file.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Follow my directions and you will get the same results as Action > Show Source except you see the entire listing of raw events (the results of your search) in raw format (this is that show source does, but it shows only a few entries.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

chris1
Explorer

Hi ,

I have changed from List to Raw, but am not getting any additional lines in the result. I can see the difference that in down it is not showing sourcetype, source and host details in this Raw option.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

I think I'm not understanding what you want.

When you are looking at your results, with the default "list" view and then you click on the > and get to your "Event Actions" the view there shows you the RAW text and the fields that are extracted with their values.

When you change from List to Raw, you see the raw events... all of them, but only the raw events.

If that's not what you want, and "Show Source" (which shows you a sample of the source (I have 148,107 events, "show source" shows me a sample of that) - can you see if you can clearly describe what you want to see? If you want to see the source events in a raw format, these are two ways. What else do you want to do (that is being prohibited by viewing the events in raw format) that makes this less than satisfactory?

And I should probably as WHY you want to see it as well... maybe that will help me/us help you.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

chris1
Explorer

Hi ,

"show source" shows a sample of our events right? I want those sample files under my search result (events).

Actually I am using drill down on my dashboards, after I click on the bars in the chart, it takes me to the event details(search view) page and again from here If I want to analyse some details about why this event happened (we need to analyse that from actual source file, i.e last two lines before that event happened), here only am using show source option (I feel like second time I am drilling down). So to avoid this, I want these sample details under that events(search result).

Thank you for helping me on this!!

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Well, the search view, is the search view... so you can't alter it's functionality...(you can replace it with your own, but I'm not sure you want that much work) but I'm wondering if you are really looking for "last two lines before the event happened" why aren't you running a new search with your drilldown and just showing info from those two? I'm sure it's not the whole event but something about that event that you want to see...

You can drill down to a panel on the same page and use "Event" chart to dump them out if you want... or if you can boil it down further... statistics chart etc...

To understand drilldown beyond just jumping out to the search view check out the dashboard examples app on apps.splunk.com: https://splunkbase.splunk.com/app/1603/
Once you install it, navigate to "examples"> "Drilldown Elements " and check out the one on the lower right hand corner of the drilldown section "Contextual Drilldown in Page" also just left of that one dynamic drilldown which shows you how to control the destination of your drilldowns.

Doing a search to show a problem and then going back and dumping out the sourcefile and what? Eyeballing it? Seems a bit self defeating! 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

chris1
Explorer

Hi,

How do we write a query to get those two lines before event happened? can you help me?

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Lots of people can help you with that...

Best thing to do is to open another Answers Entry. (it's now a totally different question.)

"How to get two events that occur right before a specific event showing a specific kind of error?

Then what you want to do, is provide an example of how you get to the "defining event" (your search) and what those events look like raw... (provide multiple examples so people can splunk the sample data if they want to try out different solutions. List the fields you've pulled out of there etc. Explain why you want to see those two previous events and how that benefits you.

If your goal is to do this in a dashboard then specify that too because it opens the possibilities of tokenizing fields and displaying key values that will help you in your troubleshooting.

This one is asked and answered. Turns out... the question you were asking wasn't the one you intended to ask! 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

chris1
Explorer

Hi,
Thank you for the help!!! I will raise a new question..

0 Karma

chris1
Explorer

Hi,

Can any one help me on this?

0 Karma

pradeepkumarg
Influencer

How is it different from what you are seeing as event details? Is it because you are getting the results from multiple sources for your search? If so, add a filter on the source field for which you would like to see the results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...