I have a field called 'indication' which has values in the form of text - 123.1
. I'm trying to set up an alert to detect an erroneous case where values of the form text - 123.1 - OTHER
occurs. The key thing to note here is that the bug is when - OTHER is inserted in the field value. I'm trying to see if there's a way in which I can be alerted when the condition where -OTHER is followed by the number. (i.e., there are cases where "text-OTHER" can occur, which is not erroneous, so I want to exclude these cases in my alert). Also note that the 'text' portion is different for different fields, so I cannot set a condition on that.
For example, there are cases like:
"thisisrandomtext - 123.11 " (which is acceptable)
"morerandom texthere - 232.0" (which is acceptable)
"thisisra ndcoma gain - OTHER" (which is acceptable)
"thisisanerrorcase - 121.112 - OTHER" (which is an ERROR)
"thisisanerror again test - 123 - OTHER" (which is an ERROR)
So I guess the real indication of the error pattern would be a number followed by - and OTHER.
Is there some way I could break this field into 3 parts (text | number | - OTHER) using Rex and set up an alert when the last field has a value in it (i.e., detect the presence of -OTHER"?
Thank you so much!
Hi again,
As tom_frotscher pointed out, there is more than one way to do it (TIMTOWTDI) . If you prefer to use rex, this should do it:
... |rex field=indication "([^-]+-){2}(?<bad_data>.+)$" |where isnull(bad_data)
Again, this does not look at the contents itself, only whether there are three parts or not. If you want to ensure that the second part is either "OTHER" or a number as specified, it gets more complicated:
... |rex field=indication "^([^-]+)\s*-\s*(?<middle>[0-9.]+|OTHER)(?<bad_data>\s*-.*)?"
| where isnull(bad_data) AND isnotnull(middle)
Hi aramkrishnan,
Based on the input and the description, you could also do this by doing a simple split (using makemv
) and checking whether the third field is null or not. This is a simple solution and it does not look into the actual values.
...|eval ind_split=indication |makemv delim="-" ind_split |eval error_detected=if(isnotnull(mvindex(ind_split,2)),1,0) |where error_detected=0
(If you know that the dash is always surrounded by spaces, you could also use delim=" - "
.)
Hi,
there are many ways to get this solved. For example you can use the regex command to filter with regex:
So try to append this to your current search:
... | regex indication="\d+\s-\sOTHER"
The regex just says, one or more digits (so this is for your number), followed by exactly one space, the "-" symbol, one more space and "OTHER".
Here is also a small run everywhere example, that you can simply copy and paste into your search bar:
| stats count | eval indication = "thisisra ndcoma gain - OTHER" | append [| stats count | eval indication = "thisisanerrorcase - 121.112 - OTHER"] | regex indication ="\d+\s-\sOTHER"
Greetings
Tom