Splunk Search

How do I split the values of a field which have a pattern?

aramakrishnan
New Member

I have a field called 'indication' which has values in the form of text - 123.1. I'm trying to set up an alert to detect an erroneous case where values of the form text - 123.1 - OTHER occurs. The key thing to note here is that the bug is when - OTHER is inserted in the field value. I'm trying to see if there's a way in which I can be alerted when the condition where -OTHER is followed by the number. (i.e., there are cases where "text-OTHER" can occur, which is not erroneous, so I want to exclude these cases in my alert). Also note that the 'text' portion is different for different fields, so I cannot set a condition on that.

For example, there are cases like:

"thisisrandomtext - 123.11 " (which is acceptable)
"morerandom texthere - 232.0" (which is acceptable)
"thisisra ndcoma gain - OTHER" (which is acceptable)
"thisisanerrorcase - 121.112 - OTHER" (which is an ERROR)
"thisisanerror again test - 123 - OTHER" (which is an ERROR)

So I guess the real indication of the error pattern would be a number followed by - and OTHER.

Is there some way I could break this field into 3 parts (text | number | - OTHER) using Rex and set up an alert when the last field has a value in it (i.e., detect the presence of -OTHER"?

Thank you so much!

0 Karma

echalex
Builder

Hi again,

As tom_frotscher pointed out, there is more than one way to do it (TIMTOWTDI) . If you prefer to use rex, this should do it:

... |rex field=indication "([^-]+-){2}(?<bad_data>.+)$" |where isnull(bad_data)

Again, this does not look at the contents itself, only whether there are three parts or not. If you want to ensure that the second part is either "OTHER" or a number as specified, it gets more complicated:

... |rex field=indication "^([^-]+)\s*-\s*(?<middle>[0-9.]+|OTHER)(?<bad_data>\s*-.*)?"
  | where isnull(bad_data) AND isnotnull(middle)
0 Karma

echalex
Builder

Hi aramkrishnan,

Based on the input and the description, you could also do this by doing a simple split (using makemv) and checking whether the third field is null or not. This is a simple solution and it does not look into the actual values.

...|eval ind_split=indication |makemv delim="-" ind_split |eval error_detected=if(isnotnull(mvindex(ind_split,2)),1,0) |where error_detected=0

(If you know that the dash is always surrounded by spaces, you could also use delim=" - ".)

0 Karma

tom_frotscher
Builder

Hi,

there are many ways to get this solved. For example you can use the regex command to filter with regex:

So try to append this to your current search:

... | regex indication="\d+\s-\sOTHER"

The regex just says, one or more digits (so this is for your number), followed by exactly one space, the "-" symbol, one more space and "OTHER".

Here is also a small run everywhere example, that you can simply copy and paste into your search bar:

| stats count | eval indication = "thisisra ndcoma gain - OTHER" | append [| stats count | eval indication = "thisisanerrorcase - 121.112 - OTHER"] | regex indication ="\d+\s-\sOTHER"

Greetings

Tom

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...