Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why won't eval substr is work with large string of 20k characters?

RJDev
Loves-to-Learn
‎06-19-2022 12:37 PM

Hi, I am new to Splunk. I just started using it last month. For me the below 
" | eval error=substr(msg, 0, 1000) |  table error app_name"    is not working  with my alert event.

It doesn't work for large strings with 20k or more characters. The table cells show blank in this case. But values can be found in verbose mode but in fast mode.

However it works when the msg is of ~1150 characters.

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-27-2022 04:04 PM

Does the makeresults example work in your instance? If so, it would appear that the 20k is not an issue?

If it works, then there is one thing that may be relevant. If your field is a multivalue field, then it substr will not work.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-20-2022 05:19 AM

@RJDev 

I think it should work. I've check by using below search. You can try it.

| makeresults count=1
| eval error="abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz" 
| foreach 1,2,3,4,5,6,7,8,9,10 
    [| eval error=error.error]
| eval erro_new=substr(error, 0, 1000)
| eval error_c = len(error)
| eval erro_new_c = len(erro_new)

 

 

Screenshot 2022-06-20 at 5.48.21 PM.png

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-20-2022 12:48 AM

Hi @RJDev,

It's really stronge, it's the first time I see an issue like this, anyway, you could try to use the rex command maybe it hasn't the same limit:

| rex field=msg "^(?<error>.{1000})"

Ciao.

Giuseppe 

0 Karma
Reply

RJDev
Loves-to-Learn
‎06-26-2022 10:53 PM

Hi @gcusello ,

I just have tried your suggestion,

| rex field=msg "^(?<error>.{1000})"  | table field

However it didn't work. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-26-2022 11:37 PM

Hi @RJDev,

yes, as @bowesmana hinted:

| rex field=msg "^(?<error>.{1000})"
| table error

Ciao.

Giuseppe

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-26-2022 11:00 PM

Did you mean 

... | table error

You are extracting error with the rex command, not field

0 Karma
Reply

RJDev
Loves-to-Learn
‎06-27-2022 02:29 AM

Hi @bowesmana ,

I tried that too. 

| rex field=msg "^(?<error>.{1000})"  | table error

Still no luck.

0 Karma
Reply

RJDev
Loves-to-Learn
‎06-24-2022 11:05 AM

Hi @gcusello Thanks for replying.

Apologies for delayed response. 

Will definitely give this a try shortly and let you know

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...