Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to read lengthy messages into fields?

Splunk_321
Path Finder
‎05-14-2023 10:17 PM

Hi,

I am trying to read a field msg.logMessage.error into table. This field is having character length of upto 22,000. I need to read this field into table and when I try below it is giving blank.

 

basesearch | table msg.logMessage.error

 

Actually, I can show first 2000 characters of this error as well, So I tried this as well, but no luck

 

basesearch | eval error = substr(msg.logMessage.error,1,2000) | table error

 

 I tried having single and double quotes around msg.logMessage.error but no luck.

Not sure If I need to modify some splunk settings to read such fields into table.

Can anyone please help me with the soluntion.

Thanks in Advance!

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-14-2023 10:55 PM

Hi @Splunk_321,

in Splunk there's the default limit to the fields lenght of 10,240 chars, from limits.conf (https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Limitsconf), in this way your events will be truncated around the middle of the events

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

 that obviously you can change, but the question is: can you read a field of more than 10.000 chars?

Anyway, if you don't visualize the entire field (to the limit of 10240 chars, maybe there's a visualization issue, try to visualize more than 2000 chars, near the limit.

Or try to change the chars dimension.

Ciao.

Giuseppe

0 Karma
Reply

Splunk_321
Path Finder
‎05-15-2023 03:51 AM

@gcusello 
Thanks!

Seems some visualization issue. Tried to read 10,000 or 10,240 characters but no luck.

Btw, what do you mean by changing the chars dimension?

Any other comments would be appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2023 04:59 AM

Hi @Splunk_321,

zooming the browser window.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...