Solved: Re: Show most relevant lines (Exceeds 500 limit)

hjwang · ‎06-16-2011

Hi~there,

We index some system config file to facilitate user's lookup.
But it seems the splunk have the limits in showing only 500 lines per event.
I try to add MAX_EVENT = 10000 in props.conf of search apps, but it still does not work. Any workaround for this? Thanks for your help.

hazekamp · ‎06-16-2011

hjwang,

You need to modify the XML configuration for views that have the EventsViewer module (namely flashtimeline) to override the 500 limit in the UI. This is achieved by setting the maxLines param to 0 and maxLinesContraint to X. I wouldn't recommend going to high with maxLinesConstraint since it is listed as a "Browser crash control setting". Your modifications should reflect:

## Snippet from $SPLUNK_HOME/etc/apps/search/local/data/ui/views/flashtimeline.xml
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
  <param name="segmentation">full</param>
  <param name="reportFieldLink">report_builder_format_report</param>
  <!-- Override display # of lines to 1000 -->
  <param name="maxLines">0</param>
  <param name="maxLinesConstraint">1000</param>

View solution in original post

landen99 · ‎11-19-2015

https://answers.splunk.com/answers/243049/show-all-lines-for-windows-event-log-events.html#answer-32...

Directly above the data and below the timeline (on the Event tab and beneath tab with the word "Visualization") there is a "Format" Option where you can set "Max Lines" to "All lines"

dmaislin_splunk · ‎03-15-2013

Nothing stops you from copying flashtimeline.xml to a different view/app and making your changes there. Then they would not get overridden.

fastauto · ‎01-18-2013

Awesome tip. I would be great if the limit was part of the limits.conf configuration. As is, it has to be changed for every new release.

hazekamp · ‎06-16-2011

hjwang,

You need to modify the XML configuration for views that have the EventsViewer module (namely flashtimeline) to override the 500 limit in the UI. This is achieved by setting the maxLines param to 0 and maxLinesContraint to X. I wouldn't recommend going to high with maxLinesConstraint since it is listed as a "Browser crash control setting". Your modifications should reflect:

## Snippet from $SPLUNK_HOME/etc/apps/search/local/data/ui/views/flashtimeline.xml
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
  <param name="segmentation">full</param>
  <param name="reportFieldLink">report_builder_format_report</param>
  <!-- Override display # of lines to 1000 -->
  <param name="maxLines">0</param>
  <param name="maxLinesConstraint">1000</param>

jimdiconectiv · ‎03-28-2017

This looks very promising, but I can't find the relevent section of flashtimeline.xml in the "default" dir. My guess is they have changed how this is done. This is versin 6.5 .

hazekamp · ‎03-28-2017

Yes, flashtimeline.xml (the original advanced xml implementation of the search page) is no longer valid. I'm not 100% certain what this looks like in modern versions, but I can dig a bit.

withool000 · ‎10-06-2014

I am using version 5.0.3.
The maximum number that I can specify is 500. An error message will show, if I put the greater number than that.

Any recommendation on this please.

the_wolverine · ‎12-05-2013

Which version(s) does this apply to? It doesn't appear to work in version 5.0.3 -- I'm still being limited by UI displaying only most relevant 500 lines despite this modification.

hjwang · ‎06-16-2011

hazekamp, thank you very much. it really works

Show most relevant lines (Exceeds 500 limit)

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024