Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to read lengthy messages into fields?

Splunk_321
Path Finder
‎05-14-2023 10:17 PM

Hi,

I am trying to read a field msg.logMessage.error into table. This field is having character length of upto 22,000. I need to read this field into table and when I try below it is giving blank.

 

basesearch | table msg.logMessage.error

 

Actually, I can show first 2000 characters of this error as well, So I tried this as well, but no luck

 

basesearch | eval error = substr(msg.logMessage.error,1,2000) | table error

 

 I tried having single and double quotes around msg.logMessage.error but no luck.

Not sure If I need to modify some splunk settings to read such fields into table.

Can anyone please help me with the soluntion.

Thanks in Advance!

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-14-2023 10:55 PM

Hi @Splunk_321,

in Splunk there's the default limit to the fields lenght of 10,240 chars, from limits.conf (https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Limitsconf), in this way your events will be truncated around the middle of the events

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

 that obviously you can change, but the question is: can you read a field of more than 10.000 chars?

Anyway, if you don't visualize the entire field (to the limit of 10240 chars, maybe there's a visualization issue, try to visualize more than 2000 chars, near the limit.

Or try to change the chars dimension.

Ciao.

Giuseppe

0 Karma
Reply

Splunk_321
Path Finder
‎05-15-2023 03:51 AM

@gcusello 
Thanks!

Seems some visualization issue. Tried to read 10,000 or 10,240 characters but no luck.

Btw, what do you mean by changing the chars dimension?

Any other comments would be appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2023 04:59 AM

Hi @Splunk_321,

zooming the browser window.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...