Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Table format field size

lspringer
Path Finder
‎11-27-2012 09:31 AM

We are trying to create a table view of some event log messages, however some of the event log messages are very long and require a lot of horizontal scrolling to read. We'd like to be able to view the message field all at once, by doing something like having double or triple height rows or word wrap in some way.

Is there anyway to do this?

alt text

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-27-2012 11:11 AM

I have written a macro that takes a very long field and turns it into a multi-valued field where each value is 100 characters or less. It isn't pretty, but it works.

Here is the macro definition. I just copied it from macros.conf

[long_line_breaker(1)]
# splits a really long field into multiple parts
args = line_text
definition = eval $line_text$=if(len($line_text$) < 100, $line_text$, replace($line_text$, "(.{100})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 202, $line_text$, replace($line_text$, "(.{202})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 304, $line_text$, replace($line_text$, "(.{304})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 406, $line_text$, replace($line_text$, "(.{406})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 508, $line_text$, replace($line_text$, "(.{508})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 610, $line_text$, replace($line_text$, "(.{610})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 712, $line_text$, replace($line_text$, "(.{712})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 814, $line_text$, replace($line_text$, "(.{814})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 916, $line_text$, replace($line_text$, "(.{916})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 1018, $line_text$, replace($line_text$, "(.{1018})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) >= 100, split($line_text$,"\n"),$line_text$)
iseval = 0

I use it in a search like this:

yoursearchhere
| table Message
| `long_line_breaker(Message)`

It works for fields of up to 1100 characters, more or less.

HTH

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-27-2012 11:11 AM

I have written a macro that takes a very long field and turns it into a multi-valued field where each value is 100 characters or less. It isn't pretty, but it works.

Here is the macro definition. I just copied it from macros.conf

[long_line_breaker(1)]
# splits a really long field into multiple parts
args = line_text
definition = eval $line_text$=if(len($line_text$) < 100, $line_text$, replace($line_text$, "(.{100})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 202, $line_text$, replace($line_text$, "(.{202})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 304, $line_text$, replace($line_text$, "(.{304})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 406, $line_text$, replace($line_text$, "(.{406})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 508, $line_text$, replace($line_text$, "(.{508})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 610, $line_text$, replace($line_text$, "(.{610})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 712, $line_text$, replace($line_text$, "(.{712})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 814, $line_text$, replace($line_text$, "(.{814})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 916, $line_text$, replace($line_text$, "(.{916})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) < 1018, $line_text$, replace($line_text$, "(.{1018})(.*)", "\1\\n\2")) \
| eval $line_text$=if(len($line_text$) >= 100, split($line_text$,"\n"),$line_text$)
iseval = 0

I use it in a search like this:

yoursearchhere
| table Message
| `long_line_breaker(Message)`

It works for fields of up to 1100 characters, more or less.

HTH

Reply
Solved! Jump to solution

lokuly
New Member
‎05-20-2013 04:37 PM

That regex is hugely helpful. Never even considered doing it that way.

0 Karma
Reply
Solved! Jump to solution

lspringer
Path Finder
‎11-29-2012 10:31 AM

I got this to work as expected. jonuwz helped to round this all out. For the sake of documentation, I went to Manager » Advanced search » Search macros, created a new macro.

Name : line_breaker(1)
Definition : rex max_match=100 field="$field$" "(?.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"
Argument : field

Then I ran the search : host=server01 sourcetype="WinEventLog:Application" | table Message | line_breaker(Message)

Thanks to both of you for your assistance.

Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎09-14-2018 08:54 AM

Thank you @lspringer for detailing this

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-27-2012 01:10 PM

Nicer! Thanks!

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎11-27-2012 01:05 PM

And for the regex masochists..

rex max_match=100 field="$field$" "(?<split__regex>.{0,100}(?:\s|$)|[^\s]+)" | rename split__regex as "$field$"

splits lines into 100 character chunks on whitespace boundaries unless there's no whitespace for 100 characters, in which case the width will expand to fit.

The regex to split unconditionally at 100 chars is

"(?<split__regex>.{0,100}(?:\s|$)|.{100})"

Reply
Solved! Jump to solution

lspringer
Path Finder
‎11-27-2012 12:56 PM

I've tried this and it works but as you stated it's not very pretty. Thanks...

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-27-2012 09:53 AM

The easiest way is probably to use the Sideview Table module instead of the SimpleResultsTable module. Table has many significant improvements over SimpleResultsTable, but a tiny one that I honestly never noticed is that SimpleResultsTable forces long values to live on one line, whereas Table doesn't do this...

http://sideviewapps.com/apps/sideview-utils/

To get the Table module you'll need a relatively new version of Sideview Utils - Table only came out in 2.2, the current version is 2.2.6, and the old version on Splunkbase is 1.3.5

Assuming that someday someone will want the reverse behavior though, I'll add a requirement to my list to make Table respect the $results.softWrap$ convention, so if you need to, you can set softWrap to false upstream and the Table would then behave like SRT.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...