https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496766#M138410 <P>Hi Team,</P> <P>I have a query that output below.</P> <P>loggerName="test" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=<EM>/</EM>, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= &lt;=Test OS;11.3;16G102&gt; }</P> <P>Here I would like to capture/Search for the 'Test OS;11.3'</P> <P>and make it to Test-OS=11.3 and count and chart the Test-OS values (Please note 11.3 is variable value)</P> <P>Then the I would like to chart the number of logs entries with Test-OS &gt; 13.</P> Tue, 28 Jan 2020 08:20:03 GMT harkirat9712 2020-01-28T08:20:03Z https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496766#M138410 <P>Hi Team,</P> <P>I have a query that output below.</P> <P>loggerName="test" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=<EM>/</EM>, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= &lt;=Test OS;11.3;16G102&gt; }</P> <P>Here I would like to capture/Search for the 'Test OS;11.3'</P> <P>and make it to Test-OS=11.3 and count and chart the Test-OS values (Please note 11.3 is variable value)</P> <P>Then the I would like to chart the number of logs entries with Test-OS &gt; 13.</P> Tue, 28 Jan 2020 08:20:03 GMT https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496766#M138410 harkirat9712 2020-01-28T08:20:03Z https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496767#M138411 <P>Unless i am missing something, I cant see <CODE>Test OS;11.3</CODE> in your event?</P> Tue, 28 Jan 2020 14:13:11 GMT https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496767#M138411 nickhills 2020-01-28T14:13:11Z https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496768#M138412 <P>extract check:</P> <PRE><CODE>| makeresults | eval _raw="loggerName=\"test\" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= &lt;=Test OS;11.3;16G102&gt; }" | rex "Test OS;(?&lt;Test_OS&gt;[\d.]+)" </CODE></PRE> <P>recommend:</P> <PRE><CODE>your_search | rex "Test OS;(?&lt;Test_OS&gt;[\d.]+)" | stats count by Test_OS | where Test_OS &gt; 13 </CODE></PRE> Tue, 28 Jan 2020 17:37:42 GMT https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496768#M138412 to4kawa 2020-01-28T17:37:42Z https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496769#M138413 <P>Added. Pls check.</P> Tue, 28 Jan 2020 19:23:57 GMT https://community.splunk.com/t5/Splunk-Search/search-for-pattern-and-if-condition-greater-than-chart-splunk/m-p/496769#M138413 harkirat9712 2020-01-28T19:23:57Z