Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add a field that includes the length of the field values

agodoy
Communicator
‎06-17-2013 12:27 PM

I am using eval foo = mvcount(split(field,"")) to count the number of characters in a field at search time. Is there a place to put such a statement so that the field foo gets created for all events that contain that field?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-17-2013 01:03 PM

I believe that you want to take a look at 'calculated fields', which lets you make this 'permanent' in a config file. So no need to put it as part of the search.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/definecalcfields

http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Propsconf

EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the 
  value of the output to <fieldname>.  This feature is referred to as 'calculated fields'.
* When multiple EVAL-* statements are specified, they behave as if 
  they are run in parallel, rather than in any particular sequence.  
  This means that if you have e.g. EVAL-x=y*2, EVAL-y=100, x will be 
  assigned the original value of y * 2, not the value of y after it is set to 100.
* All field calculations will done after field aliasing but before lookups.  This
  means you can lookup based on the value of a calculated field

Hope this helps,

K

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎06-17-2013 01:03 PM

I believe that you want to take a look at 'calculated fields', which lets you make this 'permanent' in a config file. So no need to put it as part of the search.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/definecalcfields

http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Propsconf

EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the 
  value of the output to <fieldname>.  This feature is referred to as 'calculated fields'.
* When multiple EVAL-* statements are specified, they behave as if 
  they are run in parallel, rather than in any particular sequence.  
  This means that if you have e.g. EVAL-x=y*2, EVAL-y=100, x will be 
  assigned the original value of y * 2, not the value of y after it is set to 100.
* All field calculations will done after field aliasing but before lookups.  This
  means you can lookup based on the value of a calculated field

Hope this helps,

K

0 Karma
Reply
Solved! Jump to solution

agodoy
Communicator
‎06-17-2013 01:34 PM

I was not. Thanks for bring it up. Will change it since it is more simple to use and produces the same results. Thanks again.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-17-2013 01:31 PM

You are aware of the len(x) function for eval?

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions

/k

0 Karma
Reply
Solved! Jump to solution

agodoy
Communicator
‎06-17-2013 01:09 PM

Perfect. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...