Solved: Substring only the displayed data

rossboss1989 · ‎10-07-2018

The goal here is to let the search filter on the full values but only return a portion (substring) of the "Message" field to the table in the below query.

Often we will have an idea of the event based on the first 100 characters but I need the full messages to be evaluated as truncating them at a search level might cause undesired results.

index=db_apps_digital host=abc* OR host=abc* NOT host=abc NOT host=zxc 
   | spath "Properties.Application" 
   | search "Properties.Application"="app01" OR "Properties.Application"="app02" OR "Properties.Application"="app03"   
   | eval LastEventDateTime=strftime(strptime(LastEventDateTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")   
   | stats count latest(Timestamp) as LastEventDateTime by Properties.Message, Level, Properties.Application
   | sort -count, Level
   | head 100
   | rename Properties.Application as Application, Properties.Message as Message

valiquet · ‎10-28-2018

| eval Message = substr(Message 1,100)

View solution in original post

valiquet · ‎10-28-2018

| eval Message = substr(Message 1,100)

Substring only the displayed data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation