Displays sourcetypes being truncated on ingest, then on selection, shows the related _internal message & the an event that caused it to trigger.
<form> <label>Data Issues</label> <description>Truncation, Date Parsing and Timestamp issues</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Choose a problematic sourcetype</title> <table> <search> <query>index=_internal sourcetype=splunkd component=LineBreakingProcessor | extract | rex "because\slimit\sof\s(?<limit>\S+).*>=\s(?<actual>\S+)" | stats count avg(actual) max(actual) dc(data_source) dc(data_host) BY data_sourcetype, limit | eval avg(actual)=round('avg(actual)') | sort - count</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="form.data_sourcetype">$row.data_sourcetype$</set> <set token="form.limit">$row.limit$</set> </drilldown> </table> </panel> </row> <row> <panel depends="$form.data_sourcetype$"> <title>Event in _internal</title> <table> <search> <query>index=_internal sourcetype=splunkd component=LineBreakingProcessor data_sourcetype="$form.data_sourcetype$" | extract | rex "because\slimit\sof\s(?<limit>\S+).*>=\s(?<actual>\S+)" | fields _raw _time data_sourcetype limit</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">10</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$form.data_sourcetype$"> <title>Event that reaches the limit</title> <event> <search> <query>index=* OR index=_* sourcetype=$form.data_sourcetype$ | eval length=len(_raw) |search length=$form.limit$</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="list.drilldown">none</option> <option name="refresh.display">progressbar</option> </event> </panel> </row> </form>