Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to format data in a table column to print one entry on a line?

OldManEd
Builder
‎05-10-2018 12:53 PM

Is there a way to format data in a table column to print one entry on a line? In my alert the table data shows up something like below;

Column A            Column B                       Column C
1.1.1.1            server1.my.domain ser     Some data 1
                   erver2.my.domain serv     some data 2
                   er3.my.domain

What I need to do is have that same data show up like this;

Column A         Column B                       Column C
1.1.1.1          server1.my.domain      Some data 1
                 server2.my.domain      Some data 2
                 server3.my.domain

I was thinking about adding a new line to each entry but I'm not sure that would work.

Any ideas out there?

~Ed

0 Karma
Reply

DalJeanis
Legend
‎05-14-2018 07:18 AM

To a degree, this is committing spreadsheet, but as a last resort you could do this...

(your search here)
| table ColumnA ColumnB ColumnC
| streamstats count as recno 
| eval maxrecs=if(mvcount(ColumnB)>mvcount(ColumnC),mvcount(ColumnB),mvcount(ColumnC))
| eval myfan=mvrange(0,maxrecs)
| mvexpand myfan
| eval ColumnB=case(myfan<mvcount(ColumnB),mvindex(columnB,myfan))
| eval ColumnC=case(myfan<mvcount(ColumnC),mvindex(columnC,myfan))
| table recno myfan maxrecs ColumnA ColumnB ColumnC

This should give you 

recno    myfan    maxrecs    ColumnA          ColumnB                ColumnC
1        1        3          1.1.1.1          server1.my.domain      Some data 1
1        1        3          1.1.1.1          server2.my.domain      Some data 2
1        1        3          1.1.1.1          server3.my.domain

Assuming the above looks okay, then you can do this to get rid of the duplicate ColumnA values and return the desired columns.

| streamstats count as count1 by recno
| eval ColumnA = case(count1=1,ColumnA)
| eval recno = case(count1=1,recno) 
| table recno ColumnA ColumnB ColumnC

That gives you the display you want, although technically in multiple events per ColumnA value. 

recno    ColumnA          ColumnB                ColumnC
1        1.1.1.1          server1.my.domain      Some data 1
                          server2.my.domain      Some data 2
                          server3.my.domain
2        1.1.1.2          server4.my.domain      Some data 3
3        1.1.1.3          server5.my.domain      Some data 4
                          server6.my.domain      Some data 5 
                                                 Some data 6
0 Karma
Reply

OldManEd
Builder
‎05-15-2018 06:43 AM

DalJeanis,
Thank you for your update but right now I'm looking at 20 columns and think your solution might get a little out of hand for me. I will keep it in mind if this next possibility doesn't work.

I've been looking around and ~think~ I've found another solution. Unfortunately I really don't know how to implement it at the moment. From what I've read, using the keyword "nowrap" in the "td" definition will prevent text in the cell from breaking into multiple lines. The example that was given is below:

<table>
  <tr>
    <th>Poem</th>
    <th>Poem</th>
  </tr>
  <tr>
    <td nowrap>Never increase, beyond what is necessary, the number of entities required to explain anything</td>
    <td>Never increase, beyond what is necessary, the number of entities required to explain anything</td>
  </tr>
</table>

This worked perfectly in the example.

Now I thought I saw that somewhere in Splunk there is a CSS file that controls the output of the alert emails. Unfortunately I can't seem to find that file nor any reference to it. If anyone out there can point me to the specific CSS file associated with a scheduled search I'd really appreciate it.

~Ed

0 Karma
Reply

somesoni2
Revered Legend
‎05-10-2018 02:54 PM

What's your current alert search generating that output?

0 Karma
Reply

somesoni2
Revered Legend
‎05-10-2018 03:06 PM

So, if your search is like this 

index=_internal | stats values(sourcetype) as sourcetypes by host

You can transform your query like to this to format the report/alert email (inline) output

index=_internal | stats values(sourcetype) as sourcetypes by host delim="," | rex mode=sed field=sourcetypes "s/,/\n/g"
0 Karma
Reply

OldManEd
Builder
‎05-11-2018 07:08 AM

somesoni2,
Thank you for your reply, but it didn't work. And it's really my fault. Looking closer at the email report I saw the issue was really a long line of data wrapping around to the next line. Each entry started on its own line, but longer ones were causing the issue. Using the example above, the issue was showing up as;

 Column A        Column B               Column C
 1.1.1.1            server1.my.dom    Some data 1
                         ain                            Some data 2
                         server002.my.do
                         main 
                         server3.my.dom
                         ain

What I need is a way to force the size of a specific column in the email to something that will be long enough to hold all the line data without wrapping. That I can't find.

~Ed

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top