Solved: How do I search for events that match a regex OR h...

splunkqy · ‎02-04-2019

Say I have an event in the form:

{
    "a": {"b": "c"},
    "d": "e"
 }

I want to include the event if "c" matches a regex or if the value "e" is not null or empty.

How do I write a query for this? As far as I know, you can only find events matching a regex by using | regex <regular expression>. Is there a way to do this like (d != "" AND d != null) OR ( a.b AND | regex <regular expression>)?

chrisyounger · ‎02-04-2019

I would recommend you use the rex command : |rex field=WHATEVER "(?<my_new_field>MATCH_TO_CHECK)"

This will simplify your conditional logic becuase you can just do:

eval includeRecord = if((d != "" AND d != null) OR ( a.b AND isnotnull(my_new_field)), "true", "false") | search includeRecord=true

Hope you can understand my untested code 🙂

View solution in original post

chrisyounger · ‎02-04-2019

I would recommend you use the rex command : |rex field=WHATEVER "(?<my_new_field>MATCH_TO_CHECK)"

This will simplify your conditional logic becuase you can just do:

eval includeRecord = if((d != "" AND d != null) OR ( a.b AND isnotnull(my_new_field)), "true", "false") | search includeRecord=true

Hope you can understand my untested code 🙂

How do I search for events that match a regex OR have Key?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!