topic Re: How to extract field and check if the value is greater than 300 for the last job? in Splunk Search

How to extract field and check if the value is greater than 300 for the last job?

sarit_s — Thu, 14 Mar 2019 12:27:37 GMT

Hello,

I have log that contains this value :

<0> 10/03/19 16:55:00 : Maintenance counter "UV Calibration" Value is: 31 hours.

I need to check if this value is greater than 300 for the last job
so for example if at 10.3.19 16:55:00 it was 300 and than at 10.3.19 16:56:00 it was 1 than it is not interesting me
but if at 10.3.19 16:55:00 it was 300 and than at 10.3.19 16:56:00 it was 301 i want to raise an alert and show it in table

How can i extract this field and calculate this ?

thanks

Re: How to extract field and check if the value is greater than 300 for the last job?

nickhills — Thu, 14 Mar 2019 14:23:58 GMT

You can do a search time extraction like this:

[your search]|rex "Value\sis\:\s(?P<calibration_duration>\d+)\shours"|table _time calibration_hours

Should give you a listing of all the times, and the calibration durations

If I understand the second part, you want to trigger an alert if two consecutive events are >300 ?

Re: How to extract field and check if the value is greater than 300 for the last job?

somesoni2 — Thu, 14 Mar 2019 14:46:17 GMT

Will there be logs for only one job? Are you always comparing 2 most recent job execution logs or it can be any two consecutive job execution?

Re: How to extract field and check if the value is greater than 300 for the last job?

sarit_s — Thu, 14 Mar 2019 19:27:45 GMT

well.. the log file can contain many jobs log, from many times
but i will always compare 2 recent jobs, yes

Re: How to extract field and check if the value is greater than 300 for the last job?

sarit_s — Tue, 29 Sep 2020 23:42:20 GMT

sorry but i probably did not understand it correctly because this rex returns no results
what should be "calibration_duration" and "calibration_hours"?

about the second part, yes

Re: How to extract field and check if the value is greater than 300 for the last job?

somesoni2 — Thu, 14 Mar 2019 19:48:05 GMT

Where are the job names appear in the log? In your sample data, is 31 (which is followed by hours) is the value you want to capture/compare?

Re: How to extract field and check if the value is greater than 300 for the last job?

sarit_s — Fri, 15 Mar 2019 10:45:02 GMT

well.. i need to check with our analysts where the job name so i will get back to you but for your second Q, yes, 31 is the value i want to capture

Re: How to extract field and check if the value is greater than 300 for the last job?

sarit_s — Sun, 17 Mar 2019 08:19:12 GMT

hi, i checked and the job name is iirelevant but i have sirial number that i can use

Re: How to extract field and check if the value is greater than 300 for the last job?

sarit_s — Sun, 17 Mar 2019 13:34:44 GMT

i tried again your solution
since i have few rows that contains the string "value" im getting result of the first one which is not the correct one
for example:

<0> 25/02/19 18:41:22 : Maintenance counter "Model 2 Left Pump" Value is: 9 hours.
... 48 lines omitted ...
<0> 25/02/19 18:41:22 : Maintenance counter "PM is Due" Value is: 117 hours.
<0> 25/02/19 18:41:22 : Maintenance counter "UV Calibration" Value is: 12 hours.

your solution will return the value '9'

Re: How to extract field and check if the value is greater than 300 for the last job?

sarit_s — Mon, 18 Mar 2019 07:39:51 GMT

UV Calibration" Value is: 17 hours. will return this value: calibration_duration=4375
can you please explain to me what is this number?
maybe you can explain to me the meaning of the regex ?
many thanks !