eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) Gives the first sentence of the Windows Message field. Split divides the Message field by sentences (split at each period "." - the second command populates the first sentence (0) into the field called "Short_Message"
I'm very new to Splunk so forgive me if this isn't the best method available. I too was having this issue with limiting the length/size of Messages from Windows 2008 Security Logs. The work answer for me was to use the regex creation tool.
Again this may be a beginner stuff but it worked for me!
Yes limit value of a field. For exemple the message field is very long for some Messages, is it possible to limit the display?
Thank you.
What message field? Are you talking about limiting the value of a field?