Splunk Search

Match or Substring for nested object not working

aniketsamudra
Engager

I am running query -> 
index=* source="/somesource/*" message "403"
| search level IN (ERROR)

And Response is -->

{
"instant": {
"epochSecond": 1707978481,
"nanoOfSecond": 72000000
},
"thread": "main",
"level": "ERROR",
"message": "Error while creating user group",
"thrown": {
"commonElementCount": 0,
"extendedStackTrace": "403 Forbidden:"
},
"endOfBatch": false,
"threadId": 1,
"threadPriority": 5,
"timestamp": "2024-02-15T06:28:01.072+0000"
}

Now, when i ran following query ->
index=* source="/somesource/*" message "403"
| search level IN (ERROR)
| eval Test=substr(message,1,5)
| eval Test1=substr(thrown.extendedStackTrace, 1, 3)
| table Test, Test1

I am getting value for Test. Correct substring occuring (Output is Error).
But for Test1, its empty string, where as I am expecting 403.

As message is on root, its working, but the extendedStackTrace is under thrown, the thrown.extendedStackTrace is not rending the correct result.

Although, if i do

...| table Test, Test1, thrown.extendedStackTrace

There is a proper value coming in for thrown.extendedStackTrace

What am i missing?

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Single quotes around field names with dots in

| eval Test1=substr('thrown.extendedStackTrace', 1, 3)

avisatna
Engager

Thanks, Its worked

0 Karma

aniketsamudra
Engager

Excellent, that worked.. Thank You !!

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...