Getting Data In

How to filter out search results where a field value is with the string ?

Hemnaath
Motivator

Hi All,

We want to filter out the events based on a field value containing only the string characters, not the numerical values. How to do this using the search query.

index=test sourcetype=firewall | where NOT LIKE (service,"numerical") 

In service field, we could see both string characters and some port numbers, but we want to filter out only the event containing string characters, not with the port numbers.

Kindly guide me on this.

0 Karma
1 Solution

mayurr98
Super Champion

Try this run anywhere example

| makeresults 
| eval service="abc,23,sds,55,dffgdg,13,as,s,xyz"
| makemv service delim=","
| mvexpand service
| rex field=service "(?<service1>^((?!\d+).)*$)" | search service1=*

In your environment, you should try

index=test sourcetype=firewall | rex field=service "(?<service1>^((?!\d+).)*$)" | search service1=*

let me know if this helps!

View solution in original post

mayurr98
Super Champion

Try this run anywhere example

| makeresults 
| eval service="abc,23,sds,55,dffgdg,13,as,s,xyz"
| makemv service delim=","
| mvexpand service
| rex field=service "(?<service1>^((?!\d+).)*$)" | search service1=*

In your environment, you should try

index=test sourcetype=firewall | rex field=service "(?<service1>^((?!\d+).)*$)" | search service1=*

let me know if this helps!

Hemnaath
Motivator

HI mayurr98, thanks it helped me to fetch the result containing the field values=string characters.

hey i just done my regex course today, but still i am unable to figure out why the is placed like this in the group.

? quantifier syntax is used as optional
^ symbol is used to start with
?! syntax is the negative look head assertion - want to match something not followed by something else.
\d+ syntax is used for the numerical characters
. syntax is used a wild card
* quantifier syntax used zero or more of previous character
$ syntax used for end of the string.

thanks in advance

0 Karma

mayurr98
Super Champion

Well, this is my logic of extracting something.I did not find a direct way to extract string so what I did is I extracted non digit values(i.e. non numerical) so that is why I used ?! to negate numerical values
you can see my work here and you will find explanation as well on the right hand side.
https://regex101.com/r/qiZ6y3/1

Also,If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...