how to limit characters length in splunk result

ssehgal · ‎08-02-2013

Is there a way to limit the length of the results for a particular field? For example, if the URL/ref field is 100characters long it will make our report box look like a mess because it will have a slider and push everything too wide. Can we limit that?

query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url ref | sort -10count

result:- log_id=0211008192 type=virus subtype=infected pri=warning vd=root msg="File is infected." status=passthrough service=mm1 src=1.1.1.1 dst=2.2.2.2 sport=2560 src_port=2560 dport=5120 dst_port=5120 src_int=lo dst_int=dummy0 policyid=12345 identidx=67890 serial=312 dir=rx file=file_name checksum=N/A quarskip="No skip" virus=virus dtype=cat ref=fortinet/ve?vid=1 url=N/A carrier_ep="carrier endpoint" profile=N/A profiletype=N/A profilegroup=N/A user=user group=group agent=N/A from=N/A to=N/A

i want to limit the characters in ref only to show upto ref=fortinet instead of ref=fortinet/ve?vid=1

thanks
salil

martin_mueller · ‎08-02-2013

In this case it looks as if you want to remove everything from the first slash to the end?

... | eval ref = replace(ref, "/.*", "")

how to limit characters length in splunk result

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...