Splunk Search
Highlighted

How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Explorer

Hi,

Currently, If I search for any event in the search tab, I am getting only that particular event details from the log files. I want to get the entire source from the log file. Now to see the source file, I am clicking on the event action from that event line and clicking on "Show Source", this one gives me the entire source. Is there any way to get this source under that event itself?

Thank You!

Tags (3)
0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Explorer

Hi,

Can any one help me on this?

0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Influencer

How is it different from what you are seeing as event details? Is it because you are getting the results from multiple sources for your search? If so, add a filter on the source field for which you would like to see the results.

0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Splunk Employee
Splunk Employee

Hard to tell what you're asking for exactly, but if you want to see the raw events (rather than the list of events with a resolved timestamp):

In the search view - run your search so that the events are displayed
Just above the events themselves there are three link style dropdowns.
By default the values are:
List / Format / 20 Per Page
Click List and note that the other menu items are "table" and "raw" you want raw, as in the raw event... the source event.

Is that what you're looking for?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Explorer

Hi,

After we run our search, events will be displayed..Here I want to see my entire source file( log file where we are searching our events) under the resulted events...But now am using event action > show source option to check my source file.

0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Splunk Employee
Splunk Employee

Follow my directions and you will get the same results as Action > Show Source except you see the entire listing of raw events (the results of your search) in raw format (this is that show source does, but it shows only a few entries.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Explorer

Hi ,

I have changed from List to Raw, but am not getting any additional lines in the result. I can see the difference that in down it is not showing sourcetype, source and host details in this Raw option.

0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Splunk Employee
Splunk Employee

I think I'm not understanding what you want.

When you are looking at your results, with the default "list" view and then you click on the > and get to your "Event Actions" the view there shows you the RAW text and the fields that are extracted with their values.

When you change from List to Raw, you see the raw events... all of them, but only the raw events.

If that's not what you want, and "Show Source" (which shows you a sample of the source (I have 148,107 events, "show source" shows me a sample of that) - can you see if you can clearly describe what you want to see? If you want to see the source events in a raw format, these are two ways. What else do you want to do (that is being prohibited by viewing the events in raw format) that makes this less than satisfactory?

And I should probably as WHY you want to see it as well... maybe that will help me/us help you.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Explorer

Hi ,

"show source" shows a sample of our events right? I want those sample files under my search result (events).

Actually I am using drill down on my dashboards, after I click on the bars in the chart, it takes me to the event details(search view) page and again from here If I want to analyse some details about why this event happened (we need to analyse that from actual source file, i.e last two lines before that event happened), here only am using show source option (I feel like second time I am drilling down). So to avoid this, I want these sample details under that events(search result).

Thank you for helping me on this!!

0 Karma
Highlighted

Re: How to display the entire source under each event in the search results Events tab without clicking on "Show Source"?

Splunk Employee
Splunk Employee

Well, the search view, is the search view... so you can't alter it's functionality...(you can replace it with your own, but I'm not sure you want that much work) but I'm wondering if you are really looking for "last two lines before the event happened" why aren't you running a new search with your drilldown and just showing info from those two? I'm sure it's not the whole event but something about that event that you want to see...

You can drill down to a panel on the same page and use "Event" chart to dump them out if you want... or if you can boil it down further... statistics chart etc...

To understand drilldown beyond just jumping out to the search view check out the dashboard examples app on apps.splunk.com: https://splunkbase.splunk.com/app/1603/
Once you install it, navigate to "examples"> "Drilldown Elements " and check out the one on the lower right hand corner of the drilldown section "Contextual Drilldown in Page" also just left of that one dynamic drilldown which shows you how to control the destination of your drilldowns.

Doing a search to show a problem and then going back and dumping out the sourcefile and what? Eyeballing it? Seems a bit self defeating! 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!