Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

foreach for mv fields?

smisplunk
Path Finder
‎05-21-2010 11:03 PM

I've got a search which uses a transaction command to combine a few log events together. As a result, I have a field which is multi-value. For chart display purposes, I'd like to truncate the values to a certain width. For a single-value column, I'd do something like eval if(length(field) > 30, substr(field, 1, 27) + "...", field). This doesn't work for a multi-value field. The "mvcount" of the multi-value field is not fixed, so iterating through each one by one isn't easily possible.

Any hints?

Reply
1 Solution
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎05-22-2010 12:43 AM

while we currently do not supply a foreach command in eval you can try to truncate the field values before the transaction command (ie before the field becomes multivalued). For example:

... | eval field=if(length(field) > 30, substr(field, 1, 27) + "...", field) | transaction .... | chart ....

View solution in original post

Reply
Solved! Jump to solution

uuppuluri_splun
Splunk Employee
Splunk Employee
‎03-08-2014 06:41 PM

FWIW, the foreach command is now available as at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

Reply
Solved! Jump to solution

mschaaf_twc
Engager
‎11-23-2015 08:50 AM

The foreach command is for multiple fields and not for the items within a single multivalued field, which is what is desired here.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-22-2010 12:45 AM

Hmm. I dont think eval can do this, but i could be wrong.

As a workaround, or arguably a simpler way to do the same thing, you can create a copy of the field before the transaction command, truncate those copies when they're out there, before they get packaged into transactions. Then keep the transaction logic the way it is now, but in the final display, use the truncated field, which will have been carried along for the ride.

Reply
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎05-22-2010 12:43 AM

while we currently do not supply a foreach command in eval you can try to truncate the field values before the transaction command (ie before the field becomes multivalued). For example:

... | eval field=if(length(field) > 30, substr(field, 1, 27) + "...", field) | transaction .... | chart ....
Reply
Solved! Jump to solution

smisplunk
Path Finder
‎05-22-2010 01:48 AM

Didn't think of putting the truncation first. Nice!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...