Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to truncate the entire event to a max number of characters?

skirven
Communicator
‎06-23-2022 05:44 AM

Hi folks,
  I'm trying to see how I can truncate the entire event to a max number of characters. So basically, if this is my test event (including new lines), and I wanted to capture say the first 10 characters ("Mary had a"), i can't seem to do it.

 

Mary had a little lamb,
little lamb, little lamb.
Mary had a little lamb, its fleece was white as snow.
And everywhere that Mary went,
Mary went, Mary went,
and everywhere that Mary went, the lamb was sure to go.

 

 

 

I don't seem to be able to use TRUNCATE, because it seems to evaluate *each line* versus the event as a whole. And MAX_EVENTS would not work either, because it would roll to the next event. (I would be OK with MAX_EVENTS if the behavior was to discard the extra.

I have tried this transform, and it seems to want to match each line, and even breaks the events into single line events, as I can't seem to pattern match the newline character.

 

 

[truncate_raw_10]
SOURCE_KEY = _raw
REGEX = ^(.{0,10})
DEST_KEY = _raw
FORMAT = $1

 

 

Does anyone have any insight?
Thanks!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skirven
Communicator
‎07-05-2022 11:18 AM

After the vacation, and getting back to this, I found that my valid use case was truncating at 4096 characters. This lead me down to see why, and I found the LOOKAHEAD parameter in transforms.conf. So I made it this, and it works!

[truncate_raw_20000]
LOOKAHEAD = 20000
SOURCE_KEY = _raw
#REGEX = (^[\s\S])
REGEX = (^[\s\S]{0,20000})
DEST_KEY = _raw
FORMAT = $1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skirven
Communicator
‎07-05-2022 11:18 AM

After the vacation, and getting back to this, I found that my valid use case was truncating at 4096 characters. This lead me down to see why, and I found the LOOKAHEAD parameter in transforms.conf. So I made it this, and it works!

[truncate_raw_20000]
LOOKAHEAD = 20000
SOURCE_KEY = _raw
#REGEX = (^[\s\S])
REGEX = (^[\s\S]{0,20000})
DEST_KEY = _raw
FORMAT = $1
0 Karma
Reply
Solved! Jump to solution

skirven
Communicator
‎06-29-2022 02:04 PM

Hi,

  Thanks you for your response. I did actually partially get this working in my development environment. I need to set up some time to validate next week in Production again.

Here's what I came up with:

https://regex101.com/r/pGxZWU/1

 

[truncate_raw_500]
SOURCE_KEY = _raw
REGEX = (^[\s\S]{0,500})
DEST_KEY = _raw
FORMAT = $1

Thank you,
Stephen

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2022 01:58 PM

Hi

Have you try to add regex modifiers on your REGEX in props.conf (?mgx) ?

https://regex101.com/r/asBFDf/1

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top