What is the best possible function to limit a column to not exceed a specified character count or is there a way to word wrap to the next line after it has been reached?
Yep.
Easiest was to make it a multivalued field.
... | rex field=longfield max_match=0 "(?<longfield>.{0,50})"
that'll split longfield into lines of no more that 50 characters.
View solution in original post
If you want to truncate a result column after certain length, use this...
| eval source = if (len(source) > 58, substr(source, 1, 55) + "...", source)
This is an awesome solution, but it seems to take a long time to "Finalize" the search results for a large number of returned values.
Can we think of anything that is faster? Otherwise, it would be ideal if Splunk could just provide column width control without going to .css.
