Splunk Search

How to find field data that does not match expected output

vincenp2
New Member

I am collecting data from a field that should contain a 9 digit number.
I am finding that there are some instances where this field is blank, or contains alphanumeric characters

In order to quantify the issue (and identify this other content), could anyone advise what search query can I use to identify these events where the field does NOT contain a 9 digit number please ?

Tags (2)
0 Karma
1 Solution

micahkemp
Champion
rex field=your_field "^(?<expected_field>[0-9]{9})$" | search NOT expected_field=*

View solution in original post

micahkemp
Champion
rex field=your_field "^(?<expected_field>[0-9]{9})$" | search NOT expected_field=*

vincenp2
New Member

Thanks very much for this - it has provided me with a list of all events that do NOT contain a 9 digit number in the field, which is exactly what I wanted 🙂

0 Karma

mayurr98
Super Champion

hey @vincenp2

Try this run anywhere search

| makeresults | eval your_field="123456789" | rex field=your_field "(?P<field1>^\d{9})"    

your_field is the field that contains blank,9 digit and alphanumeric characters/numbers and field1 is the one with only 9 digit number which you can use for further analysis.

In your environment you should write

    <your_base_search>|  rex field=your_field "(?P<field1>^\d{9})"

chekc for field1 values which you can use in search query instead your_field

Let me know if this works!

0 Karma

vincenp2
New Member

Thanks for the input - it didn't quite produce what I was wanting - whether that was me getting it wrong somewhere or not I'm not sure - the accepted answer has provided the info I needed _ I don't know if from this you can get an understanding of the differences?

Thanks for replying though, much appreciated 🙂

0 Karma

mayurr98
Super Champion

hey this also gives same output just that you need to filter out events

 <your_base_search>|  rex field=your_field "(?P<field1>^\d{9})" | search NOT field1=*
0 Karma

micahkemp
Champion

I think the issue with your regex may be that it doesn't enforce that there are no additional characters after the nine digits.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...