Splunk Search

How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

kb_vells
Path Finder

Please find the sample entries of two log messages given below. I want a search condition to select a report with the value "reportReferenceNumber" : 0

Please help?

Log message 1

"report" : {
    "reportReferenceNumber" : 0,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}

Log message 2

"report" : {
    "reportReferenceNumber" : 1323,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}
0 Karma

maciep
Champion

You should be able to use the regex command to filter on events that match a criteria. What does your base search look like? Is that full log entry one event in your env? Something like this should work, but if none of these suggestions are working for you, then we may need a little more context...

[your base search] | regex "\"reportReferenceNumber\" : 0," | [stuff to do with the results]
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Somesoni2's answer should have worked. Try this:

... | rex "reportReferenceNumber\"\s:\s(?P<report_reference_number>\d+)" | search report_reference_number=0 | ...

It works with your sample logs in regex101.com.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kb_vells
Path Finder

When I use your query I am getting "unbalanced query" error. but when I try using query below, No response again.

rex "\"crimeReferenceNumber\"\s:\s(?P\d+)" | search crime_reference_number=0

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I left out an escape character. Please try my updated answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can also filter without the field extraction

index=foo sourcetype=bar  "\"reportReferenceNumber\" : 0" | rest of the search ....
0 Karma

kb_vells
Path Finder

sorry for the delayed response. your suggestion not working. Getting "No record" found error

0 Karma

pradeepkumarg
Influencer
... | rex (?m) reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W | search REPORT_REFERENCE_NUMBER = 0

You can extract the number into a field and filter on it

0 Karma

kb_vells
Path Finder

Sorry for the delayed response. Your suggestion not working.
Getting the following error. I used exactly as you described.

⚠Error in 'rex' command: The regex '(?m)' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The rex command argument needs to be in quotation marks.

... | rex "(?m)reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W" |...
---
If this reply helps you, Karma would be appreciated.
0 Karma

kb_vells
Path Finder

No result apearing when I combine your suggestion (richgalloway) with search REPORT_REFERENCE_NUMBER= 0
when I remove search REPORT_REFERENCE_NUMBER= 0, I am getting too many result.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...