I have defined a field extraction in a macro as below
my_search | eval field_A="EventCode: " + EventCode + "; EventType: " + EventType + "; Message: " + substr(Message,1,100)
iseval = 0
What is meant by that? could anyone explain please.
substr(X,Y,Z) Returns a substring from X based on the starting position Y and the length Z.
In the search above substr
returns the first 100 characters of the Message
field.
The substr command grabs a section of text beginning at the first indicated index number Until the number of characters is reached (second number indicated). In your example, it is grabbing the first 100 characters of the field Message.
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/TextFunctions
substr(X,Y,Z) Returns a substring from X based on the starting position Y and the length Z.
In the search above substr
returns the first 100 characters of the Message
field.