Solved: Substring only the displayed data

rossboss1989 · ‎10-07-2018

The goal here is to let the search filter on the full values but only return a portion (substring) of the "Message" field to the table in the below query.

Often we will have an idea of the event based on the first 100 characters but I need the full messages to be evaluated as truncating them at a search level might cause undesired results.

index=db_apps_digital host=abc* OR host=abc* NOT host=abc NOT host=zxc 
   | spath "Properties.Application" 
   | search "Properties.Application"="app01" OR "Properties.Application"="app02" OR "Properties.Application"="app03"   
   | eval LastEventDateTime=strftime(strptime(LastEventDateTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")   
   | stats count latest(Timestamp) as LastEventDateTime by Properties.Message, Level, Properties.Application
   | sort -count, Level
   | head 100
   | rename Properties.Application as Application, Properties.Message as Message

valiquet · ‎10-28-2018

| eval Message = substr(Message 1,100)

View solution in original post

valiquet · ‎10-28-2018

| eval Message = substr(Message 1,100)

Substring only the displayed data

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation

Substring only the displayed data

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)