topic How do you find true or false value in the following string? in Splunk Search

topic How do you find true or false value in the following string? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427073#M167000 <P>Hi,</P> <P>I have to find the value of true or false from the following string in logfile. Below are 2 strings with either a true or false value. I just want to find a string with a false value and create an alert. </P> <P>How do I achieve this?</P> <P>batchId ==>9459a2b3-871c-4f1b-aece-feb905121b3f==false<BR /> batchId ==>14c86ffd-2ae5-4848-995e-6923485c9ed6==true</P> <P>Thanks</P> Tue, 16 Oct 2018 07:10:32 GMT abhishekgandhe 2018-10-16T07:10:32Z How do you find true or false value in the following string? https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427073#M167000 <P>Hi,</P> <P>I have to find the value of true or false from the following string in logfile. Below are 2 strings with either a true or false value. I just want to find a string with a false value and create an alert. </P> <P>How do I achieve this?</P> <P>batchId ==>9459a2b3-871c-4f1b-aece-feb905121b3f==false<BR /> batchId ==>14c86ffd-2ae5-4848-995e-6923485c9ed6==true</P> <P>Thanks</P> Tue, 16 Oct 2018 07:10:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427073#M167000 abhishekgandhe 2018-10-16T07:10:32Z Re: How do you find true or false value in the following string? https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427074#M167001 <P>Searching for a specific string in Splunk is a matter of specifying that string in your query. For example, <CODE>index=foo "false" | ...</CODE> will return all events with "false" in them.</P> Tue, 16 Oct 2018 11:11:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427074#M167001 richgalloway 2018-10-16T11:11:38Z Re: How do you find true or false value in the following string? https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427075#M167002 <P>My mistake. I should have given full requirement.</P> <P>I want to first find the batchID and then corresponding true/false value for it.</P> <P>Thanks</P> Wed, 17 Oct 2018 02:33:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427075#M167002 abhishekgandhe 2018-10-17T02:33:04Z Re: How do you find true or false value in the following string? https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427076#M167003 <P>Hi @abhishekgandhe ,</P> <P>Can you share a few sample events?</P> Wed, 17 Oct 2018 04:05:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427076#M167003 MousumiChowdhur 2018-10-17T04:05:38Z Re: How do you find true or false value in the following string? https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427077#M167004 <P>Here are some logs</P> <P>{"message":[{"raw":"Lab checkRcReady for <STRONG>batchId ==>2d465022-fb3a-4584-a9c4-6cec867e6694==true</STRONG> :: Output Quality 41.6289592760181%","severityLevel":"Informational","timestamp":"2018-10-17T09:30:47+00:00","sourceType":"LOGBack","loggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl","level":"INFO","threadName":"pool-29-thread-1"}],"internal":{"data":{"id":"5665ef35-d1ef-11e8-9c0f-9b51e6fd477d","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-10-17T09:30:47.923Z","isSynthetic":false,"samplingRate":100.0},"device":{"id":"e5fae3de5734","type":"PC","osVersion":"Linux","roleInstance":"e5fae3de5734","deviceName":"Other","deviceModel":"Other","locale":"en-US","browser":"Apache-HttpClient","browserVersion":"Apache-HttpClient 4.5","screenResolution":{}},"user":{"isAuthenticated":false},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{"LoggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl"},{"LoggingLevel":"INFO"},{"SourceType":"LOGBack"},{"TimeStamp":"Wed, 17 Oct 2018 09:30:47 GMT"},{"systemGuid":"9516e36a-e5e9-4ec5-a449-edcaeb5f227f"},{"pointId":"fi_12101_01.pv_ag"},{"ThreadName":"pool-29-thread-1"},{"endTime":"1539232140000"}]}}}<BR /> ... 3 lines omitted ...<BR /> {"message":[{"raw":"Critical-Lab checkRcReady for <STRONG>batchId ==>16cfe3ea-52be-4017-b2b2-aedbb360d150==true</STRONG> :: Output Quality 0.0%","severityLevel":"Informational","timestamp":"2018-10-17T09:30:49+00:00","sourceType":"LOGBack","loggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl","level":"INFO","threadName":"pool-29-thread-1"}],"internal":{"data":{"id":"5665ef39-d1ef-11e8-9c0f-9b51e6fd477d","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-10-17T09:30:49.321Z","isSynthetic":false,"samplingRate":100.0},"device":{"id":"e5fae3de5734","type":"PC","osVersion":"Linux","roleInstance":"e5fae3de5734","deviceName":"Other","deviceModel":"Other","locale":"en-US","browser":"Apache-HttpClient","browserVersion":"Apache-HttpClient 4.5","screenResolution":{}},"user":{"isAuthenticated":false},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{"LoggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl"},{"LoggingLevel":"INFO"},{"SourceType":"LOGBack"},{"TimeStamp":"Wed, 17 Oct 2018 09:30:49 GMT"},{"systemGuid":"9516e36a-e5e9-4ec5-a449-edcaeb5f227f"},{"pointId":"fi_12101_01.pv_ag"},{"ThreadName":"pool-29-thread-1"},{"endTime":"1539239340000"}]}}}<BR /> ... 9 lines omitted ...<BR /> {"message":[{"raw":"Critical-Lab checkRcReady for <STRONG>batchId ==>85d82866-11be-447d-a06c-5ed1bb727a13==true</STRONG> :: Output Quality 0.0%","severityLevel":"Informational","timestamp":"2018-10-17T09:30:52+00:00","sourceType":"LOGBack","loggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl","level":"INFO","threadName":"pool-29-thread-1"}],"internal":{"data":{"id":"598e0a35-d1ef-11e8-8b3a-4b8260d9fc0d","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-10-17T09:30:52.616Z","isSynthetic":false,"samplingRate":100.0},"device":{"id":"e5fae3de5734","type":"PC","osVersion":"Linux","roleInstance":"e5fae3de5734","deviceName":"Other","deviceModel":"Other","locale":"en-US","browser":"Apache-HttpClient","browserVersion":"Apache-HttpClient 4.5","screenResolution":{}},"user":{"isAuthenticated":false},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{"LoggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl"},{"LoggingLevel":"INFO"},{"SourceType":"LOGBack"},{"TimeStamp":"Wed, 17 Oct 2018 09:30:52 GMT"},{"systemGuid":"9516e36a-e5e9-4ec5-a449-edcaeb5f227f"},{"pointId":"fi_12101_01.pv_ag"},{"ThreadName":"pool-29-thread-1"},{"endTime":"1539404040000"}]}}}</P> Tue, 29 Sep 2020 21:41:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427077#M167004 abhishekgandhe 2020-09-29T21:41:57Z Re: How do you find true or false value in the following string? https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427078#M167005 <P>Hi @abhishekgandhe </P> <P>You can write a regular expression to extract the batch id and the true/false value. <BR /> Regex to extract batchId - <CODE>(batchId)\s+\=\=\>(?P<batchID>\d+[^\=]+)</CODE><BR /> Regex to extract true/false value - <CODE>batchId\s+\=\=\>[0-9a-f\-]+\=\=(?P<value>\w+[^\s+]+)</CODE></P> <P>You can then find out all the events for which <CODE>value="false"</CODE>, get the respective batchId and set an alert.<BR /> Let me know if that works for you.</P> <P>Thank You!</P> Wed, 17 Oct 2018 11:24:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427078#M167005 MousumiChowdhur 2018-10-17T11:24:25Z Re: How do you find true or false value in the following string? https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427079#M167006 <P>Try this</P> <PRE><CODE>... | rex "batchId\s==>(?<batchId>[^=]+)==(?<batchIdBoolean>\w+)" | ... </CODE></PRE> Thu, 18 Oct 2018 11:56:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-true-or-false-value-in-the-following-string/m-p/427079#M167006 richgalloway 2018-10-18T11:56:19Z