how to limit characters length in splunk result

ssehgal · ‎08-02-2013

Is there a way to limit the length of the results for a particular field? For example, if the URL/ref field is 100characters long it will make our report box look like a mess because it will have a slider and push everything too wide. Can we limit that?

query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url ref | sort -10count

result:- log_id=0211008192 type=virus subtype=infected pri=warning vd=root msg="File is infected." status=passthrough service=mm1 src=1.1.1.1 dst=2.2.2.2 sport=2560 src_port=2560 dport=5120 dst_port=5120 src_int=lo dst_int=dummy0 policyid=12345 identidx=67890 serial=312 dir=rx file=file_name checksum=N/A quarskip="No skip" virus=virus dtype=cat ref=fortinet/ve?vid=1 url=N/A carrier_ep="carrier endpoint" profile=N/A profiletype=N/A profilegroup=N/A user=user group=group agent=N/A from=N/A to=N/A

i want to limit the characters in ref only to show upto ref=fortinet instead of ref=fortinet/ve?vid=1

thanks
salil

martin_mueller · ‎08-02-2013

In this case it looks as if you want to remove everything from the first slash to the end?

... | eval ref = replace(ref, "/.*", "")

how to limit characters length in splunk result

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!