Splunk functions should _not_ truncate any data on their own (unless you explicitly use some text-manipulation function of course). There might be some visualization issue on the displaying end. Any...
See more...
Splunk functions should _not_ truncate any data on their own (unless you explicitly use some text-manipulation function of course). There might be some visualization issue on the displaying end. Anyway, You're doing one thing which in case of your data might be giving proper results but in general is a bad practice. If you have multivalued fields (like your two Testcase and Status fields) you have no guarantee that they will contain entries matching 1-1 with each other. A simple run-anywhere example to demonstrate: | makeresults | eval _raw="[ { \"a\":\"a\",\"b\":\"b\"},{\"a\":\"b\",\"c\":\"c\"},{\"b\":\"d\",\"c\":\"e\"}]" | spath {}.a output=a | spath {}.b output=b | spath {}.c output=c | spath {} output=pairs As you can see, the output in fields a, b and c would be completely different if zipped together than what you get as pairs in the array. That's why you should rather parse out whole separate testcases as json objects with | spath testcase (or whatever path you have there to your test cases) and then parse each of them separately so you don't loose the connection between separate fields within a single testcase.