Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk query with substring not working

super_edition
Path Finder
‎08-08-2024 04:51 AM

Hello Everyone,

I have written the splunk query to remove last 2 character from the string:

processingDuration = 102ms  as 102 for the following log:

 

 

{
	"timestamp": "2029-02-29 07:32:54.734",
	"level": "INFO",
	"thread": "54dd544ff",
	"logger": "my.logger",
	"message": {
		"logTimeStamp": "2029-02-29T07:32:54.734494726Z",
		"logType": "RESP",
		"statusCode": 200,
		"processingDuration": "102ms",
		"headers": {
			"Content-Type": [
				"application/json"
			]
		},
		"tracers": {
			"correlation-id": [
				"hfkjhwkj98342"
			],
			"request-id": [
				"53456345"
			],
			"service-trace-id": [
				"34234623456"
			]
		}
	},
	"context": "hello-service"
}

 

 

my splunk query:

 

 

index=my_index    
| spath logger | search logger="my.logger" 
| spath "message.logType" | search "message.logType"=RESP 
| spath "message.tracers.correlation-id{}" | search "message.tracers.correlation-id{}"="hfkjhwkj98342" 
| eval myprocessTime = substr("message.processingDuration", 1, len("message.processingDuration")-2)
| table "message.tracers.correlation-id{}" myprocessTime

 

 

the above query considers "message.processingDuration" as string itself and removes last 2 characters out of it.

super_edition_1-1723117654225.png

I tried without double quotes also, it returned empty:

 

 

substr(message.processingDuration, 1, len(message.processingDuration)-2)

 

 

 Appreciate your help on this.

Thanks in advance.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-08-2024 05:27 AM

A string in single quotes is treated by Splunk as a field name.

substr('message.processingDuration', 1, len('message.processingDuration')-2)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-08-2024 05:27 AM

A string in single quotes is treated by Splunk as a field name.

substr('message.processingDuration', 1, len('message.processingDuration')-2)
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...