Splunk Search

New Line isn't considered/shown in the table Splunk Dashboard Studio

vinodkumarK
Explorer

In the Splunk app, the exception message column has multiple line message in it. However, when same query is applied to the table event in the Splunk Dashboard Studio, the newline isn't considered, and message is read continuously.

Below is the Splunk app result.

vinodkumarK_0-1731057420420.png

Below is the table shown in the Studio.

vinodkumarK_1-1731057461340.png

Below is the Splunk Query.

 

index="eqt-e2e"
| spath suite_build_name | search suite_build_name="PAAS-InstantInk-Stage-Regression-Smooth-Transition" 
| spath unit_test_name_failed{} output=unit_test_name_failed
| mvexpand unit_test_name_failed
| spath input=unit_test_name_failed
| where message!="Test was skipped" 
| spath suite_build_number | search suite_build_number="*"
| where (if("*"="*", 1=1, like(author, "%*%")))
| where (if("*"="*", 1=1, like(message, "%*%")))
| spath suite_build_start_time 
| sort - suite_build_start_time
| eval suite_build_time = strftime(strptime(suite_build_start_time, "%Y-%m-%d %H:%M:%S"), "%I:%M %p")
| table suite_build_name, suite_build_number, suite_build_time, author, test_rail_name, message
| rename suite_build_name AS "Pipeline Name", suite_build_number AS "Pipeline No.", suite_build_time AS "Pipline StartTime (UTC)", author AS "Test Author", test_rail_name AS "Test Name", message AS "Exception Message"

 

@ITWhisperer 

Labels (1)
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The solution to this (like a lot of issues with Studio) is to use Classic SimpleXML dashboards (until Studio catches up with all the missing functionality of Classic)! (Or try and forget what Classic can do and live with the limitations of Studio!) 😎 You could also raise a support case with Splunk identifying the problem so it can be added to the (long) list of outstanding deficiencies!

View solution in original post

vinodkumarK
Explorer

Apologies @ITWhisperer, will remember it!😅😅

I just tried to create table in the classic dashboard, and here the new line is shown.

vinodkumarK_0-1731059091274.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The solution to this (like a lot of issues with Studio) is to use Classic SimpleXML dashboards (until Studio catches up with all the missing functionality of Classic)! (Or try and forget what Classic can do and live with the limitations of Studio!) 😎 You could also raise a support case with Splunk identifying the problem so it can be added to the (long) list of outstanding deficiencies!

ITWhisperer
SplunkTrust
SplunkTrust

@vinodkumarK Please do not tag / mention me in your posts - I, like many people here, am a volunteer, and, as such I can choose which posts to comment on. I do not appreciate having demands made on my time. I tend to prioritise which posts I answer. Given that this is a Dashboard Studio question, my first response would be, does it also happen in Classic / SimpleXML dashboards?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...