https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744558#M241273 <P class="">Hi, We are using the event field message in our alert, but in some cases, the field is not being parsed correctly. For example, in the attached screenshot, the source event contains the full text in raw format, i.e., message="The full message". However, when we check the Event under the <STRONG>Action</STRONG> tab, it only shows the first word of the message — "The" — which results in incorrect information being sent in alerts.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-04-21 at 2.19.07 PM(2).png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/38668i357F83C054F789AB/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-04-21 at 2.19.07 PM(2).png" alt="Screenshot 2025-04-21 at 2.19.07 PM(2).png" /></span></P><P class="">Could someone please help us resolve this issue? I appreciate any help you can provide.</P> Mon, 21 Apr 2025 09:57:58 GMT bilalzaib 2025-04-21T09:57:58Z https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744558#M241273 <P class="">Hi, We are using the event field message in our alert, but in some cases, the field is not being parsed correctly. For example, in the attached screenshot, the source event contains the full text in raw format, i.e., message="The full message". However, when we check the Event under the <STRONG>Action</STRONG> tab, it only shows the first word of the message — "The" — which results in incorrect information being sent in alerts.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-04-21 at 2.19.07 PM(2).png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/38668i357F83C054F789AB/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-04-21 at 2.19.07 PM(2).png" alt="Screenshot 2025-04-21 at 2.19.07 PM(2).png" /></span></P><P class="">Could someone please help us resolve this issue? I appreciate any help you can provide.</P> Mon, 21 Apr 2025 09:57:58 GMT https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744558#M241273 bilalzaib 2025-04-21T09:57:58Z https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744560#M241274 <P>What sourcetype and extraction configuration are you using?</P> Mon, 21 Apr 2025 10:19:34 GMT https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744560#M241274 ITWhisperer 2025-04-21T10:19:34Z https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744565#M241278 <P>The logs are coming from a Django application, and the sourcetype is set to the name of the application (as shown by&nbsp;| metasearch sourcetype=* command). This is how we are sending logs from the application</P><LI-CODE lang="python">logger.info('Carrier updates summary; message="The following updates message", user="john_doe", carrier_slug="example_carrier"')</LI-CODE><P><BR />We are using below query for extraction</P><LI-CODE lang="python">((host="*.prod.domain.com" "Carrier updates summary;") OR (index=prod_index_eks kub.pod_name="domain-*" log="*Carrier updates summary;*")) | eval message=coalesce(message, log) | table message</LI-CODE><P class=""><BR />I hope this provides some context about our logs. Apologies if it doesn’t — I’m still very new to Splunk. I really appreciate your help!</P> Mon, 21 Apr 2025 10:55:02 GMT https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744565#M241278 bilalzaib 2025-04-21T10:55:02Z https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744566#M241279 <P>Assuming you have admin access, you can find the source types under the settings menu option. From this you can find out what extractions are configured, as I suspect these aren't dealing with your custom field as you expect.</P><P>You could also try using the extract command</P><LI-CODE lang="markup">((host="*.prod.domain.com" "Carrier updates summary;") OR (index=prod_index_eks kub.pod_name="domain-*" log="*Carrier updates summary;*")) | extract | eval message=coalesce(message, log) | table message</LI-CODE> Mon, 21 Apr 2025 11:25:20 GMT https://community.splunk.com/t5/Splunk-Search/Custom-field-from-an-event-is-not-being-parsed-correctly/m-p/744566#M241279 ITWhisperer 2025-04-21T11:25:20Z