Splunk Search

How to override the 20 line limit for the table view of embedded reports?

grundsch
Communicator

Hi,

It looks like a table view of an embedded report is limited to the first 20 results.
I couldn't find any place where to change this limit. Changing the view before embedding didn't help either...

Can you point me in the right direction?

Thanks,
Steph

1 Solution

efavreau
Motivator

@grundschFor the sake of the community, because this was never answered, here's a WORKAROUND.

Below is a run-anywhere example to show how to work around the 20 results limit for an embedded report. It's not intuitive. Run it one line at a time and get an understanding of it. The formatting with this approach is less than perfect, but if you can deal with it, this is a valid workaround. (solution graciously provided by @dmarling )

index=_internal sourcetype=splunkd_access user!="splunk-system-user" user!="-"
| head 30
| streamstats count as counter
| eval counter=counter-1
| bin counter span=10
| eval clowncar=user."~".method."~".clientip."~".bytes
| stats values(clowncar) as clowncar by counter
| rex field=clowncar "(?<user>[^~]*)~(?<method>[^~]*)~(?<clientip>[^~]*)~(?<bytes>[^~]*)"
| fields - clowncar counter

 

###

If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

efavreau
Motivator

@grundschFor the sake of the community, because this was never answered, here's a WORKAROUND.

Below is a run-anywhere example to show how to work around the 20 results limit for an embedded report. It's not intuitive. Run it one line at a time and get an understanding of it. The formatting with this approach is less than perfect, but if you can deal with it, this is a valid workaround. (solution graciously provided by @dmarling )

index=_internal sourcetype=splunkd_access user!="splunk-system-user" user!="-"
| head 30
| streamstats count as counter
| eval counter=counter-1
| bin counter span=10
| eval clowncar=user."~".method."~".clientip."~".bytes
| stats values(clowncar) as clowncar by counter
| rex field=clowncar "(?<user>[^~]*)~(?<method>[^~]*)~(?<clientip>[^~]*)~(?<bytes>[^~]*)"
| fields - clowncar counter

 

###

If this reply helps you, an upvote would be appreciated.
0 Karma

grundsch
Communicator

Nice idea of chunking results in 10 blocks of multivalued fields, and I didn't expected rex to behave like that on multivalued fileds, interesting!

I would use "list" instead of "values" to keep the order and maybe even duplicates (depends on your use case).

0 Karma

hettervik
Builder

I've found a workaround to this issue. The limit is 20 table rows, but there seems to be no limit in the number of multivalue fields in a single row. So, instead of say running | stats count by user | fields user, you can use | stats values(user) as users by index | fields users. It's not pretty, but it works.

0 Karma

sahr_m_lebbie
Engager

2020, still facing the same issue. Any help would be appreciated.,2020, Still same issue, unless someone has solved it.

0 Karma

lyc1986830
New Member

I still hit this issue in splunk 6.6.1. Is this bug fixed in any new version or any plan to fix this?

0 Karma

grundsch
Communicator

I've found in etc/system/default/ui-prefs.conf the following:

display.prefs.events.count = 20
display.prefs.statistics.count = 20

but changing it (in etc/system/local/ui-prefs.conf) didn't help...
any other idea? can we override it somewhere?

0 Karma

samarkumar
Path Finder

I got the same problem, it will be great if any one share the idea to resolve this issue.

0 Karma

Lindaiyu
Path Finder

I got the same problem, could anyone have solved it?
Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...