Splunk Search

How to truncate mv fields and add "...truncated" at the end of the field?

ynchan38
New Member

I am performing a search on firewall logs and looking for hosts that are scanning our servers. I would like to capture only 20 servers that are being scanned by a single server and ports that are being scanned and email alerts to the response team.

search_query | stats count AS No_Connections,values(dest_ip) AS Destination_IP,
dc(dest_ip) AS No_Destinations,
values(dest_port) AS PORTS,
dc(dest_port) AS No_Ports by src_ip
| rename src_ip AS Source_IP
| search No_Destinations > 500 AND No_Ports > 100
| eval Destination_IP=mvindex(Destination_IP,1,20)
| eval PORTS=mvindex(PORTS,1,20)

I am managed to reduce the number of mv field however don't know how to show this is a truncated list. The alert function will include all the values in the email however I like the web search only showing a limited number of value and show [and xxx more values] at the end.

Can it be done in an alert and in a report?

Tags (1)
0 Karma
1 Solution

hazekamp
Builder
  1. Add "dc(field) as dc_field" to stats to maintain a unique count
  2. Use the following eval:

    | eval field=if(dc_field>19,mvappend(mvindex(field,0,19),"..."),field)

The above eval looks for dc_field values greater than 20 uses mvindex to get the first 20 (Note: The index should begin at 0....0-19) and then append "..." or "TRUNCATED" or whatever. If dc_field<=19 then field=field.

View solution in original post

hazekamp
Builder
  1. Add "dc(field) as dc_field" to stats to maintain a unique count
  2. Use the following eval:

    | eval field=if(dc_field>19,mvappend(mvindex(field,0,19),"..."),field)

The above eval looks for dc_field values greater than 20 uses mvindex to get the first 20 (Note: The index should begin at 0....0-19) and then append "..." or "TRUNCATED" or whatever. If dc_field<=19 then field=field.

ynchan38
New Member

Thank you. Exactly what I need.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...