Solved: How to extract event raw size just like linecount

tpflicke · ‎05-24-2014

I frequently use the length of the raw data - more often than readily extracted fields punctuation and linecount

I do so be extracting the field in the query like

... | eval raw_length=len(_raw) | ...

What are the options to do this as a predefined field extraction at either search time or even index time?

dwaddle · ‎05-24-2014

You can do this with a 'calculated field' which is really just an eval command stuff into a config file. Stuff this into $SPLUNK_HOME/etc/system/local/props.conf:

[default]
EVAL-raw_length = len(_raw)

View solution in original post

dwaddle · ‎05-24-2014

You can do this with a 'calculated field' which is really just an eval command stuff into a config file. Stuff this into $SPLUNK_HOME/etc/system/local/props.conf:

[default]
EVAL-raw_length = len(_raw)

tpflicke · ‎05-27-2014

Thanks, exactly what I need.

How to extract event raw size just like linecount

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to extract event raw size just like linecount

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!