Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why won't eval substr is work with large string of 20k characters?

RJDev
Loves-to-Learn
‎06-19-2022 12:37 PM

Hi, I am new to Splunk. I just started using it last month. For me the below 
" | eval error=substr(msg, 0, 1000) |  table error app_name"    is not working  with my alert event.

It doesn't work for large strings with 20k or more characters. The table cells show blank in this case. But values can be found in verbose mode but in fast mode.

However it works when the msg is of ~1150 characters.

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-27-2022 04:04 PM

Does the makeresults example work in your instance? If so, it would appear that the 20k is not an issue?

If it works, then there is one thing that may be relevant. If your field is a multivalue field, then it substr will not work.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-20-2022 05:19 AM

@RJDev 

I think it should work. I've check by using below search. You can try it.

| makeresults count=1
| eval error="abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz" 
| foreach 1,2,3,4,5,6,7,8,9,10 
    [| eval error=error.error]
| eval erro_new=substr(error, 0, 1000)
| eval error_c = len(error)
| eval erro_new_c = len(erro_new)

 

 

Screenshot 2022-06-20 at 5.48.21 PM.png

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-20-2022 12:48 AM

Hi @RJDev,

It's really stronge, it's the first time I see an issue like this, anyway, you could try to use the rex command maybe it hasn't the same limit:

| rex field=msg "^(?<error>.{1000})"

Ciao.

Giuseppe 

0 Karma
Reply

RJDev
Loves-to-Learn
‎06-26-2022 10:53 PM

Hi @gcusello ,

I just have tried your suggestion,

| rex field=msg "^(?<error>.{1000})"  | table field

However it didn't work. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-26-2022 11:37 PM

Hi @RJDev,

yes, as @bowesmana hinted:

| rex field=msg "^(?<error>.{1000})"
| table error

Ciao.

Giuseppe

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-26-2022 11:00 PM

Did you mean 

... | table error

You are extracting error with the rex command, not field

0 Karma
Reply

RJDev
Loves-to-Learn
‎06-27-2022 02:29 AM

Hi @bowesmana ,

I tried that too. 

| rex field=msg "^(?<error>.{1000})"  | table error

Still no luck.

0 Karma
Reply

RJDev
Loves-to-Learn
‎06-24-2022 11:05 AM

Hi @gcusello Thanks for replying.

Apologies for delayed response. 

Will definitely give this a try shortly and let you know

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top