I frequently use the length of the raw data - more often than readily extracted fields punctuation and linecount
I do so be extracting the field in the query like
... | eval raw_length=len(_raw) | ...
What are the options to do this as a predefined field extraction at either search time or even index time?
You can do this with a 'calculated field' which is really just an eval
command stuff into a config file. Stuff this into $SPLUNK_HOME/etc/system/local/props.conf
:
[default]
EVAL-raw_length = len(_raw)
You can do this with a 'calculated field' which is really just an eval
command stuff into a config file. Stuff this into $SPLUNK_HOME/etc/system/local/props.conf
:
[default]
EVAL-raw_length = len(_raw)
Thanks, exactly what I need.