Splunk Search

what is the use of substr in my macro?

Builder

I have defined a field extraction in a macro as below

mysearch | eval fieldA="EventCode: " + EventCode + "; EventType: " + EventType + "; Message: " + substr(Message,1,100)
iseval = 0

What is meant by that? could anyone explain please.

0 Karma
Highlighted

Re: what is the use of substr in my macro?

Champion
substr(X,Y,Z)   Returns a substring from X based on the starting position Y and the length Z.

In the search above substr returns the first 100 characters of the Message field.

View solution in original post

Highlighted

Re: what is the use of substr in my macro?

Super Champion

The substr command grabs a section of text beginning at the first indicated index number Until the number of characters is reached (second number indicated). In your example, it is grabbing the first 100 characters of the field Message.
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/TextFunctions