HI people,
I want from a query to only print out the first n-characters of the field value. So:
index=someIndex sourcetype=someNetworkDevice
| stats count by someField
The output goes:
someField
this is a strong value 1
this is a string value 1a
this is a string value 2
some other string value 1
some other string value 1a
some other string value 2
this is yet another string value 1
this is yet another string value 1a
etc.
I want to pull out say the first 10 characters in each row:
this is a
this is a
this is a
some other
some other
some other
this is yet
this is yet
etc
HI @JohnEGones ,
I have some problem to understand why you're doing this!
Anyway, you can use eval substr to take only the first n chars of a field:
index=someIndex sourcetype=someNetworkDevice
| stats count by someField
| eval someField=substr(someField,1,10)
as you san see at https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/TextFunctions#substr.28.26lt.3Bst...
Ciao.
Giuseppe
HI Giuseppe,
Nope you got it. Like when it's quick and easy.
Thanks.
Hi @JohnEGones ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
HI @JohnEGones ,
I have some problem to understand why you're doing this!
Anyway, you can use eval substr to take only the first n chars of a field:
index=someIndex sourcetype=someNetworkDevice
| stats count by someField
| eval someField=substr(someField,1,10)
as you san see at https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/TextFunctions#substr.28.26lt.3Bst...
Ciao.
Giuseppe