Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

foreach for mv fields?

smisplunk
Path Finder
‎05-21-2010 11:03 PM

I've got a search which uses a transaction command to combine a few log events together. As a result, I have a field which is multi-value. For chart display purposes, I'd like to truncate the values to a certain width. For a single-value column, I'd do something like eval if(length(field) > 30, substr(field, 1, 27) + "...", field). This doesn't work for a multi-value field. The "mvcount" of the multi-value field is not fixed, so iterating through each one by one isn't easily possible.

Any hints?

Reply
1 Solution
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎05-22-2010 12:43 AM

while we currently do not supply a foreach command in eval you can try to truncate the field values before the transaction command (ie before the field becomes multivalued). For example:

... | eval field=if(length(field) > 30, substr(field, 1, 27) + "...", field) | transaction .... | chart ....

View solution in original post

Reply
Solved! Jump to solution

uuppuluri_splun
Splunk Employee
Splunk Employee
‎03-08-2014 06:41 PM

FWIW, the foreach command is now available as at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

Reply
Solved! Jump to solution

mschaaf_twc
Engager
‎11-23-2015 08:50 AM

The foreach command is for multiple fields and not for the items within a single multivalued field, which is what is desired here.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎05-22-2010 12:45 AM

Hmm. I dont think eval can do this, but i could be wrong.

As a workaround, or arguably a simpler way to do the same thing, you can create a copy of the field before the transaction command, truncate those copies when they're out there, before they get packaged into transactions. Then keep the transaction logic the way it is now, but in the final display, use the truncated field, which will have been carried along for the ride.

Reply
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎05-22-2010 12:43 AM

while we currently do not supply a foreach command in eval you can try to truncate the field values before the transaction command (ie before the field becomes multivalued). For example:

... | eval field=if(length(field) > 30, substr(field, 1, 27) + "...", field) | transaction .... | chart ....
Reply
Solved! Jump to solution

smisplunk
Path Finder
‎05-22-2010 01:48 AM

Didn't think of putting the truncation first. Nice!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...