Match or Substring for nested object not working

aniketsamudra · ‎02-14-2024

I am running query ->
index=* source="/somesource/*" message "403"
| search level IN (ERROR)

And Response is -->

{
"instant": {
"epochSecond": 1707978481,
"nanoOfSecond": 72000000
},
"thread": "main",
"level": "ERROR",
"message": "Error while creating user group",
"thrown": {
"commonElementCount": 0,
"extendedStackTrace": "403 Forbidden:"
},
"endOfBatch": false,
"threadId": 1,
"threadPriority": 5,
"timestamp": "2024-02-15T06:28:01.072+0000"
}

Now, when i ran following query ->
index=* source="/somesource/*" message "403"
| search level IN (ERROR)
| eval Test=substr(message,1,5)
| eval Test1=substr(thrown.extendedStackTrace, 1, 3)
| table Test, Test1

I am getting value for Test. Correct substring occuring (Output is Error).
But for Test1, its empty string, where as I am expecting 403.

As message is on root, its working, but the extendedStackTrace is under thrown, the thrown.extendedStackTrace is not rending the correct result.

Although, if i do

...| table Test, Test1, thrown.extendedStackTrace

There is a proper value coming in for thrown.extendedStackTrace

What am i missing?

ITWhisperer · ‎02-15-2024

Single quotes around field names with dots in

| eval Test1=substr('thrown.extendedStackTrace', 1, 3)

avisatna · ‎10-08-2024

Thanks, Its worked

aniketsamudra · ‎02-15-2024

Excellent, that worked.. Thank You !!

Match or Substring for nested object not working

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

Match or Substring for nested object not working

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud