I am running query ->
index=* source="/somesource/*" message "403"
| search level IN (ERROR)
And Response is -->
{
"instant": {
"epochSecond": 1707978481,
"nanoOfSecond": 72000000
},
"thread": "main",
"level": "ERROR",
"message": "Error while creating user group",
"thrown": {
"commonElementCount": 0,
"extendedStackTrace": "403 Forbidden:"
},
"endOfBatch": false,
"threadId": 1,
"threadPriority": 5,
"timestamp": "2024-02-15T06:28:01.072+0000"
}
Now, when i ran following query ->
index=* source="/somesource/*" message "403"
| search level IN (ERROR)
| eval Test=substr(message,1,5)
| eval Test1=substr(thrown.extendedStackTrace, 1, 3)
| table Test, Test1
I am getting value for Test. Correct substring occuring (Output is Error).
But for Test1, its empty string, where as I am expecting 403.
As message is on root, its working, but the extendedStackTrace is under thrown, the thrown.extendedStackTrace is not rending the correct result.
Although, if i do
...| table Test, Test1, thrown.extendedStackTrace
There is a proper value coming in for thrown.extendedStackTrace
What am i missing?
Single quotes around field names with dots in
| eval Test1=substr('thrown.extendedStackTrace', 1, 3)
Thanks, Its worked
Excellent, that worked.. Thank You !!