topic Re: eval substr is not working with large string of 20k characters in Splunk Search

Why won't eval substr is work with large string of 20k characters?

RJDev — Tue, 21 Jun 2022 16:25:53 GMT

Hi, I am new to Splunk. I just started using it last month. For me the below
" | eval error=substr(msg, 0, 1000) | table error app_name" is not working with my alert event.

It doesn't work for large strings with 20k or more characters. The table cells show blank in this case. But values can be found in verbose mode but in fast mode.

However it works when the msg is of ~1150 characters.

Re: eval substr is not working with large string of 20k characters

gcusello — Mon, 20 Jun 2022 07:48:15 GMT

Hi @RJDev,

It's really stronge, it's the first time I see an issue like this, anyway, you could try to use the rex command maybe it hasn't the same limit:

| rex field=msg "^(?<error>.{1000})"

Ciao.

Giuseppe

Re: eval substr is not working with large string of 20k characters

kamlesh_vaghela — Mon, 20 Jun 2022 12:19:30 GMT

@RJDev

I think it should work. I've check by using below search. You can try it.

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: eval substr is not working with large string of 20k characters

RJDev — Fri, 24 Jun 2022 18:05:23 GMT

Hi @gcusello Thanks for replying.

Apologies for delayed response.

Will definitely give this a try shortly and let you know

Re: eval substr is not working with large string of 20k characters

RJDev — Mon, 27 Jun 2022 05:53:36 GMT

Hi @gcusello ,

I just have tried your suggestion,

| rex field=msg "^(?<error>.{1000})" | table field

However it didn't work.

Re: eval substr is not working with large string of 20k characters

bowesmana — Mon, 27 Jun 2022 06:00:29 GMT

Did you mean

... | table error

You are extracting error with the rex command, not field

Re: eval substr is not working with large string of 20k characters

gcusello — Mon, 27 Jun 2022 06:37:32 GMT

Hi @RJDev,

yes, as @bowesmana hinted:

| rex field=msg "^(?<error>.{1000})" | table error

Ciao.

Giuseppe

Re: eval substr is not working with large string of 20k characters

RJDev — Mon, 27 Jun 2022 09:29:22 GMT

Hi @bowesmana ,

I tried that too.

| rex field=msg "^(?<error>.{1000})" | table error

Still no luck.

Re: Why won't eval substr is work with large string of 20k characters?

bowesmana — Mon, 27 Jun 2022 23:04:18 GMT

Does the makeresults example work in your instance? If so, it would appear that the 20k is not an issue?

If it works, then there is one thing that may be relevant. If your field is a multivalue field, then it substr will not work.