Splunk Search

Compare values in search

gnovak
Builder

Hello,

I've read through some of the other questions on here to try and find an answer to my question, but i'm still not 100% sure so here goes.

I am running this search:

sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="12" [BalanceEmail]

Basically, the short story is that a bunch of emails go out to clients. there usually is always a set number of emails that are supposed to go out and in the logs, it will state something like this:

[BalanceEmail] Total number of registrars' email to be sent: 125

[BalanceEmail]125 of 125 of email notification sent.

Processed 125 records in step 1

What I'd like to do is out of the results I got from running the above search, I want to then match up the total number of emails to be sent with how many actually were sent out. If the number sent out is less then the number to be sent, I'll generate an email to go out if the search results indicate the value is less then the number of emails that were supposed to go out:

I'm still a little new to all of this so having a hard time weeding through all the options I might have. Suggestions?

I'm wondering if I should extract [BalanceEmail] as a new field. I was going to try that

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

I'm not sure there's enough information here for a proper answer, but here's an attempt:

It looks like you just need either a field extraction or a rex command to pulls out the two numbers from this event:

[BalanceEmail]125 of 125 of email notification sent.

And the other events are not important?

Say that you had those fields extracted, and one was called totalEmailsToSend, and the other was called totalEmailsSent. If that's the case then this search would filter your results down to just the rows that had sent less than they were supposed to:

<your search> | where totalEmailsToSend < totalEmailsSent

And you'd run that search on a schedule and have it email you if it ever matches one or more events.

And a regex that would do it would be:

^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\.

To try and put it all together (just using rex for now)

sourcetype="cron_BalanceEmail" source="asia" starthoursago="12" "[BalanceEmail]" email notification sent | rex field=_raw "^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\." | where totalEmailsToSend < totalEmailsSent

View solution in original post

sideview
SplunkTrust
SplunkTrust

I'm not sure there's enough information here for a proper answer, but here's an attempt:

It looks like you just need either a field extraction or a rex command to pulls out the two numbers from this event:

[BalanceEmail]125 of 125 of email notification sent.

And the other events are not important?

Say that you had those fields extracted, and one was called totalEmailsToSend, and the other was called totalEmailsSent. If that's the case then this search would filter your results down to just the rows that had sent less than they were supposed to:

<your search> | where totalEmailsToSend < totalEmailsSent

And you'd run that search on a schedule and have it email you if it ever matches one or more events.

And a regex that would do it would be:

^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\.

To try and put it all together (just using rex for now)

sourcetype="cron_BalanceEmail" source="asia" starthoursago="12" "[BalanceEmail]" email notification sent | rex field=_raw "^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\." | where totalEmailsToSend < totalEmailsSent

sideview
SplunkTrust
SplunkTrust

It makes sense, but the regex that I included as an example would indeed only match that line and it shouldn't match any other of your events.

0 Karma

gnovak
Builder

Actually looking today I think i ran into a problem.
[BalanceEmail]125 of 125 of email notification sent. If all I want to do is extract the first number and call it TotalEmailsSent and then extract the second number and call it TotalEmailsToSend it appears to be a bit difficult because when I do extract that area as a field, it's also recognizing other things I do not want when I test the field extraction. I only want the numbers from the line that starts with [BalanceEmail] and no other numbers from other lines that may start with something else....if that makes sense....:/

0 Karma

gnovak
Builder

That actually did work. I was able to use the field extractor and create the search. I don't know why but I tried this the other day and must have did something wrong. I'm going to test this a bit more but I believe this worked. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...