Hello,
I have the following field:= message.msg:
msg: before send to xxx, payload = {"id":"abc123","userId":1,"currency":1,"amount":"-54"}
I would like to find all search results where amount is <= -50.
How is it possible to do so?
Please let me know if any further information is required.
Thanks in advance!
Like this:
| makeresults | eval "message.msg" = "msg: before send to xxx, payload = {\"id\":\"abc123\",\"userId\":1,\"currency\":1,\"amount\":\"-54\"}"
| rename COMMENT AS "Everything above generates sample events; everything below is your solution"
| rename message.msg AS _raw
| rex mode=sed "s/^[^\{]+//"
| spath
| where amount<=-50
Like this:
| makeresults | eval "message.msg" = "msg: before send to xxx, payload = {\"id\":\"abc123\",\"userId\":1,\"currency\":1,\"amount\":\"-54\"}"
| rename COMMENT AS "Everything above generates sample events; everything below is your solution"
| rename message.msg AS _raw
| rex mode=sed "s/^[^\{]+//"
| spath
| where amount<=-50
hi @alysea
This json field will perhaps have the amount in the payload field. Please check your interesting fields , I think your json values are mapped to the field called 'payload' and not message. The regex by @richgalloway is correct.
Try this if the json values are coming in a field called 'payload'
| rex field=payload "amount\"+\:+\"(?<amount>.*?)\""
| where amount < -50
Here's one way.
... | rex field=message "amount":"(?<amount>-?\d+)" | where amount < -50
Thank you for the help!
Thank you, I will try and let you know if it works out 🙂