topic Re: How to create an alert based on a field value regex pattern? in Splunk Search

How to create an alert based on a field value regex pattern?

Log_wrangler — Tue, 29 Sep 2020 19:05:47 GMT

I am looking for the best way to alert when a field value is not within a normal input range?

For example, I have a field called 'Account_ID" and the only normal value should be 1 to 5 digits long, like 99999.

I want to create an alert that triggers if Account_ID = is not a number but contains any characters other than numbers or greater than 5 digits.

For example Account_ID = 87347 (good) Account_ID = 848/'A$ (bad - alert) or Account_ID = 9938848994994 (bad)

Thank you for your help.

Re: How to create an alert based on a field value regex pattern?

adonio — Sat, 14 Apr 2018 13:08:50 GMT

hello @Log_wrangler

try out the following search:

| makeresults count=1 
| eval Account_ID = "2345564,12345,9999999999,342A@,12345$%^"
| makemv delim="," Account_ID
| mvexpand Account_ID
| eval char_count = len(Account_ID)
| eval num_or_string = if(isnum(Account_ID),"Number","String")

from there you can set your alert: | where char_count > 5 .... etc
see also screen shot:

Re: How to create an alert based on a field value regex pattern?

niketn — Tue, 29 Sep 2020 19:02:17 GMT

@Log_wrangler, try the following eval | eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")

Following is a run anywhere search

| makeresults 
| eval Account_ID="87347,848/'A$,9938848994994" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")

Re: How to create an alert based on a field value regex pattern?

acharlieh — Sat, 14 Apr 2018 13:15:48 GMT

It sounds like you are looking for the regex command. Using this you will filter out ( != ) events whose account_id field matches your regular expression pattern of what makes a valid account id, and then alert if any events are left.

Re: How to create an alert based on a field value regex pattern?

Log_wrangler — Tue, 29 Sep 2020 19:05:52 GMT

Thank you (everyone) for the replies.

What I would like to do is run a search (for example daily) that returns a list of all the Account_IDs and checks for bad Account_IDs and returns a list of Bad_IDs.

I was thinking about using a != regex match but will that slow performance?

any suggestions on how to write the eval Account_ID != regex then list new field bad_ID?

Thank you

Re: How to create an alert based on a field value regex pattern?

Log_wrangler — Sun, 15 Apr 2018 01:12:12 GMT

I like your query, however there is a problem, if the Account_ID value <=0 , like 000 I want that to be "bad', however I will accept your answer because it is mostly successful. I am looking for the syntax for the eval statement to look at number value instead of length. Please share if you know it.

Thank you

Re: How to create an alert based on a field value regex pattern?

Log_wrangler — Sun, 15 Apr 2018 01:15:49 GMT

IF there is a better way please let me know, but here is what I built off your base code

index=A sourcetype=A_logs |  eval Account_ID_format = if((!isnum(Account_ID)) OR (Account_ID=0) OR (isnum(Account_ID) AND (len(Account_ID)>5)),"bad","good") | search Account_ID_format = bad | stats values(Account_ID_format) by Account_ID

Re: How to create an alert based on a field value regex pattern?

Log_wrangler — Sun, 15 Apr 2018 01:36:16 GMT

Thank you for your reply, I chose to follow the first response bc it seemed easier, but you have a good idea too, which I will refer to in the future.

Re: How to create an alert based on a field value regex pattern?

Log_wrangler — Sun, 15 Apr 2018 01:39:20 GMT

Thank you again Acharlieh.

I do like your idea about not matching a regex pattern.

I think I will ask this specific question in the future.

Re: How to create an alert based on a field value regex pattern?

niketn — Sun, 15 Apr 2018 08:52:36 GMT

@Log_wrangler, please try out the following search. I have updated the validation condition, and performing tonumber() conversion as a separate step.

  index=A sourcetype=A_logs 
 | stats count by Account_ID
 | eval Account_ID=tonumber(Account_ID)
 | eval Account_ID_format= if((isnull(Account_ID)) OR ((Account_ID<=0) OR (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")
 | search Account_ID_format = bad

Notice that I have moved stats up and am performing stats on Good Account Ids as well. But filtering only the bad results in the end. Performing streaming command(eval) on the results of a transforming command (stats) should perform better.