Splunk Search

find max length where field name is firstName_1,firstName_2...

dummy1281
Engager

My splunk entry is firstName_1="Tom" firstName_2="Jerry" firstName_3="Tom1" firstName_4="Jerry1"

I would like to find max length of firstName. Answer for above entry should be 6 as firstName_4 length is Jerry1 (6)

Tried | table firstName_* but getting all the values in table and to find max length, I need to find the length manually.

Tried | eval len (firstName_*) but getting error.

Can you please help me with this. Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use foreach to process each firstName_* field.

... | eval maxLen=0 | foreach firstName_* [eval maxLen=if(len(<<FIELD>>) > maxLen, len(<<FIELD>>), maxLen)] | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use foreach to process each firstName_* field.

... | eval maxLen=0 | foreach firstName_* [eval maxLen=if(len(<<FIELD>>) > maxLen, len(<<FIELD>>), maxLen)] | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

dummy1281
Engager

Thank you for your reply. When I try

index=x | eval maxLen=0 | foreach firstName_* [eval maxLen=if(len(<>) > maxLen, len(<>), maxLen)]

I am getting result as same for index=x

but not the max length for firstName_*

I'm really not sure what I'm missing. Can you please help.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@dummy1281

It should work.

Can you please try this?

index=x 
| eval maxLen=0  
| foreach firstName_* 
    [ eval maxLen=case(maxLen>=len('<<FIELD>>'),maxLen,true(),len('<<FIELD>>'))] 
| table firstName* maxLen

Sample search:

| makeresults 
| eval maxLen=0, firstName_1="Tom",firstName_2="Jerry",firstName_3="Tom1",firstName_4="Jerry1llll" 
| foreach firstName_* 
    [ eval maxLen=case(maxLen>=len('<<FIELD>>'),maxLen,true(),len('<<FIELD>>'))] 
| table firstName* maxLen

Thanks

dummy1281
Engager

Thanks Kamlesh. It works

0 Karma

493669
Super Champion

I hope this will work:

  ...| eval Max=0
 | foreach firstName_*
     [eval Max=case(Max>=len('<<FIELD>>'),Max,true(),len('<<FIELD>>'))]

Converted to comment since rich answer is more correct

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I wouldn't say it's more correct. Just different.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...