topic splunk query with substring not working in Splunk Search https://community.splunk.com/t5/Splunk-Search/splunk-query-with-substring-not-working/m-p/695685#M236525 <P>Hello Everyone,</P><P>I have written the splunk query to remove last 2 character from the string:</P><P>processingDuration = <STRONG>102ms</STRONG>&nbsp; as <STRONG>102</STRONG> for the following log:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ "timestamp": "2029-02-29 07:32:54.734", "level": "INFO", "thread": "54dd544ff", "logger": "my.logger", "message": { "logTimeStamp": "2029-02-29T07:32:54.734494726Z", "logType": "RESP", "statusCode": 200, "processingDuration": "102ms", "headers": { "Content-Type": [ "application/json" ] }, "tracers": { "correlation-id": [ "hfkjhwkj98342" ], "request-id": [ "53456345" ], "service-trace-id": [ "34234623456" ] } }, "context": "hello-service" }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>my splunk query:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=my_index | spath logger | search logger="my.logger" | spath "message.logType" | search "message.logType"=RESP | spath "message.tracers.correlation-id{}" | search "message.tracers.correlation-id{}"="hfkjhwkj98342" | eval myprocessTime = substr("message.processingDuration", 1, len("message.processingDuration")-2) | table "message.tracers.correlation-id{}" myprocessTime</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>the above query considers <STRONG>"message.processingDuration"</STRONG> as string itself and removes last 2 characters out of it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="super_edition_1-1723117654225.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32110iB6DC2F52AD1035BC/image-size/medium?v=v2&amp;px=400" role="button" title="super_edition_1-1723117654225.png" alt="super_edition_1-1723117654225.png" /></span></P><P>I tried without double quotes also, it returned empty:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">substr(message.processingDuration, 1, len(message.processingDuration)-2)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;Appreciate your help on this.</P><P>Thanks in advance.</P> Thu, 08 Aug 2024 11:55:54 GMT super_edition 2024-08-08T11:55:54Z splunk query with substring not working https://community.splunk.com/t5/Splunk-Search/splunk-query-with-substring-not-working/m-p/695685#M236525 <P>Hello Everyone,</P><P>I have written the splunk query to remove last 2 character from the string:</P><P>processingDuration = <STRONG>102ms</STRONG>&nbsp; as <STRONG>102</STRONG> for the following log:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{ "timestamp": "2029-02-29 07:32:54.734", "level": "INFO", "thread": "54dd544ff", "logger": "my.logger", "message": { "logTimeStamp": "2029-02-29T07:32:54.734494726Z", "logType": "RESP", "statusCode": 200, "processingDuration": "102ms", "headers": { "Content-Type": [ "application/json" ] }, "tracers": { "correlation-id": [ "hfkjhwkj98342" ], "request-id": [ "53456345" ], "service-trace-id": [ "34234623456" ] } }, "context": "hello-service" }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>my splunk query:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=my_index | spath logger | search logger="my.logger" | spath "message.logType" | search "message.logType"=RESP | spath "message.tracers.correlation-id{}" | search "message.tracers.correlation-id{}"="hfkjhwkj98342" | eval myprocessTime = substr("message.processingDuration", 1, len("message.processingDuration")-2) | table "message.tracers.correlation-id{}" myprocessTime</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>the above query considers <STRONG>"message.processingDuration"</STRONG> as string itself and removes last 2 characters out of it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="super_edition_1-1723117654225.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/32110iB6DC2F52AD1035BC/image-size/medium?v=v2&amp;px=400" role="button" title="super_edition_1-1723117654225.png" alt="super_edition_1-1723117654225.png" /></span></P><P>I tried without double quotes also, it returned empty:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">substr(message.processingDuration, 1, len(message.processingDuration)-2)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;Appreciate your help on this.</P><P>Thanks in advance.</P> Thu, 08 Aug 2024 11:55:54 GMT https://community.splunk.com/t5/Splunk-Search/splunk-query-with-substring-not-working/m-p/695685#M236525 super_edition 2024-08-08T11:55:54Z Re: splunk query with substring not working https://community.splunk.com/t5/Splunk-Search/splunk-query-with-substring-not-working/m-p/695693#M236527 <P>A string in single quotes is treated by Splunk as a field name.</P><LI-CODE lang="markup">substr('message.processingDuration', 1, len('message.processingDuration')-2)</LI-CODE> Thu, 08 Aug 2024 12:27:59 GMT https://community.splunk.com/t5/Splunk-Search/splunk-query-with-substring-not-working/m-p/695693#M236527 richgalloway 2024-08-08T12:27:59Z