How to read lengthy messages into fields?

Splunk_321 · ‎05-14-2023

Hi,

I am trying to read a field msg.logMessage.error into table. This field is having character length of upto 22,000. I need to read this field into table and when I try below it is giving blank.

basesearch | table msg.logMessage.error

Actually, I can show first 2000 characters of this error as well, So I tried this as well, but no luck

basesearch | eval error = substr(msg.logMessage.error,1,2000) | table error

I tried having single and double quotes around msg.logMessage.error but no luck.

Not sure If I need to modify some splunk settings to read such fields into table.

Can anyone please help me with the soluntion.

Thanks in Advance!

gcusello · ‎05-14-2023

Hi @Splunk_321,

in Splunk there's the default limit to the fields lenght of 10,240 chars, from limits.conf (https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Limitsconf), in this way your events will be truncated around the middle of the events

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

that obviously you can change, but the question is: can you read a field of more than 10.000 chars?

Anyway, if you don't visualize the entire field (to the limit of 10240 chars, maybe there's a visualization issue, try to visualize more than 2000 chars, near the limit.

Or try to change the chars dimension.

Ciao.

Giuseppe

Splunk_321 · ‎05-15-2023

@gcusello
Thanks!

Seems some visualization issue. Tried to read 10,000 or 10,240 characters but no luck.

Btw, what do you mean by changing the chars dimension?

Any other comments would be appreciated.

gcusello · ‎05-15-2023

Hi @Splunk_321,

zooming the browser window.

Ciao.

Giuseppe

How to read lengthy messages into fields?

field extraction

fields

table

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor