Splunk Search
Highlighted

find max length where field name is firstName_1,firstName_2...

Engager

My splunk entry is firstName1="Tom" firstName2="Jerry" firstName3="Tom1" firstName4="Jerry1"

I would like to find max length of firstName. Answer for above entry should be 6 as firstName_4 length is Jerry1 (6)

Tried | table firstName_* but getting all the values in table and to find max length, I need to find the length manually.

Tried | eval len (firstName_*) but getting error.

Can you please help me with this. Thanks

0 Karma
Highlighted

Re: find max length where field name is firstName_1,firstName_2...

SplunkTrust
SplunkTrust

Use foreach to process each firstName_* field.

... | eval maxLen=0 | foreach firstName_* [eval maxLen=if(len(<<FIELD>>) > maxLen, len(<<FIELD>>), maxLen)] | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: find max length where field name is firstName_1,firstName_2...

Super Champion

I hope this will work:

  ...| eval Max=0
 | foreach firstName_*
     [eval Max=case(Max>=len('<<FIELD>>'),Max,true(),len('<<FIELD>>'))]

Converted to comment since rich answer is more correct

0 Karma
Highlighted

Re: find max length where field name is firstName_1,firstName_2...

SplunkTrust
SplunkTrust

I wouldn't say it's more correct. Just different.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: find max length where field name is firstName_1,firstName_2...

Engager

Thank you for your reply. When I try

index=x | eval maxLen=0 | foreach firstName_* [eval maxLen=if(len(<>) > maxLen, len(<>), maxLen)]

I am getting result as same for index=x

but not the max length for firstName_*

I'm really not sure what I'm missing. Can you please help.

0 Karma
Highlighted

Re: find max length where field name is firstName_1,firstName_2...

SplunkTrust
SplunkTrust

@dummy1281

It should work.

Can you please try this?

index=x 
| eval maxLen=0  
| foreach firstName_* 
    [ eval maxLen=case(maxLen>=len('<<FIELD>>'),maxLen,true(),len('<<FIELD>>'))] 
| table firstName* maxLen

Sample search:

| makeresults 
| eval maxLen=0, firstName_1="Tom",firstName_2="Jerry",firstName_3="Tom1",firstName_4="Jerry1llll" 
| foreach firstName_* 
    [ eval maxLen=case(maxLen>=len('<<FIELD>>'),maxLen,true(),len('<<FIELD>>'))] 
| table firstName* maxLen

Thanks

Highlighted

Re: find max length where field name is firstName_1,firstName_2...

Engager

Thanks Kamlesh. It works

0 Karma