Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to limit characters length in splunk result

ssehgal
Explorer
‎08-02-2013 01:36 PM

Is there a way to limit the length of the results for a particular field? For example, if the URL/ref field is 100characters long it will make our report box look like a mess because it will have a slider and push everything too wide. Can we limit that?

query: index=pci_bpo_index device_id="FG*" type="virus" | stats count by log_id subtype msg status devname url ref | sort -10count

result:- log_id=0211008192 type=virus subtype=infected pri=warning vd=root msg="File is infected." status=passthrough service=mm1 src=1.1.1.1 dst=2.2.2.2 sport=2560 src_port=2560 dport=5120 dst_port=5120 src_int=lo dst_int=dummy0 policyid=12345 identidx=67890 serial=312 dir=rx file=file_name checksum=N/A quarskip="No skip" virus=virus dtype=cat ref=fortinet/ve?vid=1 url=N/A carrier_ep="carrier endpoint" profile=N/A profiletype=N/A profilegroup=N/A user=user group=group agent=N/A from=N/A to=N/A

i want to limit the characters in ref only to show upto ref=fortinet instead of ref=fortinet/ve?vid=1

thanks
salil

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-02-2013 02:23 PM

In this case it looks as if you want to remove everything from the first slash to the end?

... | eval ref = replace(ref, "/.*", "")
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...