Is there a way to format data in a table column to print one entry on a line? In my alert the table data shows up something like below;
Column A Column B Column C 184.108.40.206 server1.my.domain ser Some data 1 erver2.my.domain serv some data 2 er3.my.domain
What I need to do is have that same data show up like this;
Column A Column B Column C 220.127.116.11 server1.my.domain Some data 1 server2.my.domain Some data 2 server3.my.domain
I was thinking about adding a new line to each entry but I'm not sure that would work.
Any ideas out there?
So, if your search is like this
index=_internal | stats values(sourcetype) as sourcetypes by host
You can transform your query like to this to format the report/alert email (inline) output
index=_internal | stats values(sourcetype) as sourcetypes by host delim="," | rex mode=sed field=sourcetypes "s/,/\n/g"
Thank you for your reply, but it didn't work. And it's really my fault. Looking closer at the email report I saw the issue was really a long line of data wrapping around to the next line. Each entry started on its own line, but longer ones were causing the issue. Using the example above, the issue was showing up as;
Column A Column B Column C 18.104.22.168 server1.my.dom Some data 1 ain Some data 2 server002.my.do main server3.my.dom ain
What I need is a way to force the size of a specific column in the email to something that will be long enough to hold all the line data without wrapping. That I can't find.
To a degree, this is committing spreadsheet, but as a last resort you could do this...
(your search here) | table ColumnA ColumnB ColumnC | streamstats count as recno | eval maxrecs=if(mvcount(ColumnB)>mvcount(ColumnC),mvcount(ColumnB),mvcount(ColumnC)) | eval myfan=mvrange(0,maxrecs) | mvexpand myfan | eval ColumnB=case(myfan<mvcount(ColumnB),mvindex(columnB,myfan)) | eval ColumnC=case(myfan<mvcount(ColumnC),mvindex(columnC,myfan)) | table recno myfan maxrecs ColumnA ColumnB ColumnC
This should give you
recno myfan maxrecs ColumnA ColumnB ColumnC 1 1 3 22.214.171.124 server1.my.domain Some data 1 1 1 3 126.96.36.199 server2.my.domain Some data 2 1 1 3 188.8.131.52 server3.my.domain
Assuming the above looks okay, then you can do this to get rid of the duplicate ColumnA values and return the desired columns.
| streamstats count as count1 by recno | eval ColumnA = case(count1=1,ColumnA) | eval recno = case(count1=1,recno) | table recno ColumnA ColumnB ColumnC
That gives you the display you want, although technically in multiple events per ColumnA value.
recno ColumnA ColumnB ColumnC 1 184.108.40.206 server1.my.domain Some data 1 server2.my.domain Some data 2 server3.my.domain 2 220.127.116.11 server4.my.domain Some data 3 3 18.104.22.168 server5.my.domain Some data 4 server6.my.domain Some data 5 Some data 6
Thank you for your update but right now I'm looking at 20 columns and think your solution might get a little out of hand for me. I will keep it in mind if this next possibility doesn't work.
I've been looking around and ~think~ I've found another solution. Unfortunately I really don't know how to implement it at the moment. From what I've read, using the keyword "nowrap" in the "td" definition will prevent text in the cell from breaking into multiple lines. The example that was given is below:
<table> <tr> <th>Poem</th> <th>Poem</th> </tr> <tr> <td nowrap>Never increase, beyond what is necessary, the number of entities required to explain anything</td> <td>Never increase, beyond what is necessary, the number of entities required to explain anything</td> </tr> </table>
This worked perfectly in the example.
Now I thought I saw that somewhere in Splunk there is a CSS file that controls the output of the alert emails. Unfortunately I can't seem to find that file nor any reference to it. If anyone out there can point me to the specific CSS file associated with a scheduled search I'd really appreciate it.