Splunk Search

Check for only non-numeric value in an extracted field

anirbanukil
Explorer

I have following string:

2011-12-01T13:31:25-05:0063487210, TEST# 67779806

I have written the following search string:

host="source" source="Out.log" "TEST# "| rex "TEST# (?<test_no>\t+) "

I want to check if "TEST#" contains any non-numeric values (TEST# must contain all numeric field so that the child applications work properly. Child applications can't handle non-numeric value in TEST# field).

How can I check and alert incase there is some non-numeric value in TEST# field.

Please advice.

Tags (2)
0 Karma
1 Solution

Ayn
Legend

I don't get the test_no extraction. It seems to match one or more tabs after TEST#? Typo?

Anyway regarding the question, how to check if a field has numeric content only: either use regex:

... | regex test_no="^\d+$"

Or where with the function isnum:

... | where isnum(test_no)

View solution in original post

anirbanukil
Explorer

Thanks a lot for the answer. I was able to solve the issue.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

That's good. Please use the "accept answer" checkbox next to one of the answers to accept it and mark the question as "answered".

0 Karma

kristian_kolb
Ultra Champion

Have you looked at eval or where?

There is a function for eval (and where) which is called isnum(X), which may may be what you need.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

hope this helps,

/kristian

Ayn
Legend

I don't get the test_no extraction. It seems to match one or more tabs after TEST#? Typo?

Anyway regarding the question, how to check if a field has numeric content only: either use regex:

... | regex test_no="^\d+$"

Or where with the function isnum:

... | where isnum(test_no)

kristian_kolb
Ultra Champion

I'll have to learn to finish my answer and hit that "post your answer" button.... 🙂

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...