Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show most relevant lines (Exceeds 500 limit)

hjwang
Contributor
‎06-16-2011 02:19 AM

Hi~there,

We index some system config file to facilitate user's lookup.
But it seems the splunk have the limits in showing only 500 lines per event.
I try to add MAX_EVENT = 10000 in props.conf of search apps, but it still does not work. Any workaround for this? Thanks for your help.

Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎06-16-2011 10:49 AM

hjwang,

You need to modify the XML configuration for views that have the EventsViewer module (namely flashtimeline) to override the 500 limit in the UI. This is achieved by setting the maxLines param to 0 and maxLinesContraint to X. I wouldn't recommend going to high with maxLinesConstraint since it is listed as a "Browser crash control setting". Your modifications should reflect:

## Snippet from $SPLUNK_HOME/etc/apps/search/local/data/ui/views/flashtimeline.xml
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
  <param name="segmentation">full</param>
  <param name="reportFieldLink">report_builder_format_report</param>
  <!-- Override display # of lines to 1000 -->
  <param name="maxLines">0</param>
  <param name="maxLinesConstraint">1000</param>

View solution in original post

Reply
Solved! Jump to solution

landen99
Motivator
‎11-19-2015 06:19 AM

https://answers.splunk.com/answers/243049/show-all-lines-for-windows-event-log-events.html#answer-32...

Directly above the data and below the timeline (on the Event tab and beneath tab with the word "Visualization") there is a "Format" Option where you can set "Max Lines" to "All lines"

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎03-15-2013 05:18 AM

Nothing stops you from copying flashtimeline.xml to a different view/app and making your changes there. Then they would not get overridden.

0 Karma
Reply
Solved! Jump to solution

fastauto
New Member
‎01-18-2013 09:14 AM

Awesome tip. I would be great if the limit was part of the limits.conf configuration. As is, it has to be changed for every new release.

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎06-16-2011 10:49 AM

hjwang,

You need to modify the XML configuration for views that have the EventsViewer module (namely flashtimeline) to override the 500 limit in the UI. This is achieved by setting the maxLines param to 0 and maxLinesContraint to X. I wouldn't recommend going to high with maxLinesConstraint since it is listed as a "Browser crash control setting". Your modifications should reflect:

## Snippet from $SPLUNK_HOME/etc/apps/search/local/data/ui/views/flashtimeline.xml
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
  <param name="segmentation">full</param>
  <param name="reportFieldLink">report_builder_format_report</param>
  <!-- Override display # of lines to 1000 -->
  <param name="maxLines">0</param>
  <param name="maxLinesConstraint">1000</param>
Reply
Solved! Jump to solution

jimdiconectiv
Path Finder
‎03-28-2017 01:34 PM

This looks very promising, but I can't find the relevent section of flashtimeline.xml in the "default" dir. My guess is they have changed how this is done. This is versin 6.5 .

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎03-28-2017 03:20 PM

Yes, flashtimeline.xml (the original advanced xml implementation of the search page) is no longer valid. I'm not 100% certain what this looks like in modern versions, but I can dig a bit.

0 Karma
Reply
Solved! Jump to solution

withool000
New Member
‎10-06-2014 02:14 AM

I am using version 5.0.3.
The maximum number that I can specify is 500. An error message will show, if I put the greater number than that.

Any recommendation on this please.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎12-05-2013 08:45 AM

Which version(s) does this apply to? It doesn't appear to work in version 5.0.3 -- I'm still being limited by UI displaying only most relevant 500 lines despite this modification.

0 Karma
Reply
Solved! Jump to solution

hjwang
Contributor
‎06-16-2011 06:56 PM

hazekamp, thank you very much. it really works

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...