Splunk Search

conditional rex in splunk

abhayneilam
Contributor

I have a field called Number and it has got a value like :

| inputlookup Numbers.csv

Number
102
2
45
204
345
100
100
45
21
100
103

If I do | inputlookup Numbers.csv | where Number > 100 then I would get only those number which are greater than 100.

The same thing I wanna achieve using Regular Expression ( REGEX ) to get only those which are greater than 100. It could be 101 , 102, 102...100000000002, 10000000,5000,345,50987,etc.

I did this "| inputlookup Numbers.csv | regex Number="(1|[2-9])(0|[1-9])(1|[2-9])" but , partially working. Kindly help !!

Tags (2)
0 Karma
1 Solution

FrankVl
Ultra Champion

Not entirely sure why you would want to do this with a regex, but this should work I think:

| inputlookup Numbers.csv | regex Number="(10[1-9]|1[1-9][0-9]|[2-9][0-9][0-9]|\d{4,})"

This covers all 4 cases: 101-109,110-199,200-999,1000-...

Alternatively, you could do:

| inputlookup Numbers.csv | regex Number="\d{3,}" | regex Number!="100"

To first get any Number of 3 or more digits and then drop the ones equal to 100.

View solution in original post

FrankVl
Ultra Champion

Not entirely sure why you would want to do this with a regex, but this should work I think:

| inputlookup Numbers.csv | regex Number="(10[1-9]|1[1-9][0-9]|[2-9][0-9][0-9]|\d{4,})"

This covers all 4 cases: 101-109,110-199,200-999,1000-...

Alternatively, you could do:

| inputlookup Numbers.csv | regex Number="\d{3,}" | regex Number!="100"

To first get any Number of 3 or more digits and then drop the ones equal to 100.

abhayneilam
Contributor

Thanks !!!!

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...