Hi,
I am trying to truncate strings returned in queries to the RSA Netwitness DB to deal with a limitation in the parsing code on our end. We need this to be a max of 8000 chars. I am trying to use the substring function in my query but it gets a 500 error with every combo I can think of. This is the documentation text:
| substring | | At least one of the optional attributes from and length must be specified. |
| | name | The unique identifier of a string variable to receive the extracted value. |
| | value | A string value from which to extract a substring. |
| | from (optional) | The zero-based position from which to begin the substring. If not specified, it defaults to zero. |
| | length (optional) | The number of characters to extract. If not specified, it defaults to the remaining length of the string. |
This is how I am using it:
SELECT substring(time1,time,0,8000),device.ip,host.src,host.dst,ip.src,ip.dst,ip.srcport
This is the error I see:
Error: {
"error" : "500 Server Error: The server encountered an internal error: Syntax error found near column 23, expected ')'."
}
I understand that I am not using the substring method correctly but I have tried every combo I can think and it always errors.
Any pointers or help would be appreciated.
Regards,
Philip Wilson
