Hello community,
I have a problem with my research. My searches are then sent to Splunk OnCall to manage alerts. However, I noticed that some fields in my request can sometimes have a lot of chara...
See more...
Hello community,
I have a problem with my research. My searches are then sent to Splunk OnCall to manage alerts. However, I noticed that some fields in my request can sometimes have a lot of characters, and in this case, the information does not go to Splunk OnCall.
The large number of characters is not useful and I would like to limit the number so that it does not block towards Splunk OnCall. I therefore seek to limit the number of characters in a field of my request, whatever the result. I came across this post (https://community.splunk.com/t5/Splunk-Search/Limit-length-of-field-of-characters-in-search-results/mp/134908#M36872) but the command does not work.
Here is an example request:
index=my_index state=* | fields hostname service_description output state
It is the "output" field that I would like to limit. Based on the link above, I wrote:
index=my_index state=* | fields hostname service_description output state | eval output=substr(output,1,15)
But that doesn't fix it. Do you have any idea where I should dig for this?
FYI, I'm on Enterprise 8.2.3
Thank you in advance
Rajaion