Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

kb_vells
Path Finder
‎08-13-2015 08:50 AM

Please find the sample entries of two log messages given below. I want a search condition to select a report with the value "reportReferenceNumber" : 0

Please help?

Log message 1

"report" : {
    "reportReferenceNumber" : 0,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}

Log message 2

"report" : {
    "reportReferenceNumber" : 1323,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}
0 Karma
Reply

maciep
Champion
‎08-15-2015 06:40 PM

You should be able to use the regex command to filter on events that match a criteria. What does your base search look like? Is that full log entry one event in your env? Something like this should work, but if none of these suggestions are working for you, then we may need a little more context...

[your base search] | regex "\"reportReferenceNumber\" : 0," | [stuff to do with the results]
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2015 06:52 AM

Somesoni2's answer should have worked. Try this:

... | rex "reportReferenceNumber\"\s:\s(?P<report_reference_number>\d+)" | search report_reference_number=0 | ...

It works with your sample logs in regex101.com.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kb_vells
Path Finder
‎08-14-2015 07:06 AM

When I use your query I am getting "unbalanced query" error. but when I try using query below, No response again.

rex "\"crimeReferenceNumber\"\s:\s(?P\d+)" | search crime_reference_number=0

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-15-2015 06:13 PM

I left out an escape character. Please try my updated answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
Revered Legend
‎08-13-2015 09:04 AM

You can also filter without the field extraction

index=foo sourcetype=bar  "\"reportReferenceNumber\" : 0" | rest of the search ....
0 Karma
Reply

kb_vells
Path Finder
‎08-14-2015 06:15 AM

sorry for the delayed response. your suggestion not working. Getting "No record" found error

0 Karma
Reply

pradeepkumarg
Influencer
‎08-13-2015 08:54 AM 
... | rex (?m) reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W | search REPORT_REFERENCE_NUMBER = 0

You can extract the number into a field and filter on it

0 Karma
Reply

kb_vells
Path Finder
‎08-14-2015 06:13 AM

Sorry for the delayed response. Your suggestion not working.
Getting the following error. I used exactly as you described.

⚠Error in 'rex' command: The regex '(?m)' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2015 06:18 AM

The rex command argument needs to be in quotation marks. 

... | rex "(?m)reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W" |...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kb_vells
Path Finder
‎08-14-2015 06:38 AM

No result apearing when I combine your suggestion (richgalloway) with search REPORT_REFERENCE_NUMBER= 0
when I remove search REPORT_REFERENCE_NUMBER= 0, I am getting too many result.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...