https://community.splunk.com/t5/Splunk-Search/Define-a-field-and-get-an-integer-value/m-p/649972#M224724 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258534">@dnikam</a>,</P><P>You could try the following :</P><LI-CODE lang="markup">| &lt;you_base_search&gt; | rex field=&lt;field_where_you_have_your_numerical_info&gt; "^\D*(?&lt;Field1&gt;\d*)\/(?&lt;Field2&gt;\d*)" | eval ratio=Field2/Field1 | fields ratio, Field1, Field2 | where ratio &gt; 0.8</LI-CODE><P><EM>If you run this search, it will <STRONG>display an event only if the ratio is actually above 0.8&nbsp;</STRONG></EM></P><P>You can simply click on the "save as" button, choose alert and complete the other info, be sure to trigger the alert when the number of results is greater than zero, and select the correct schedule time, for instance :&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GaetanVP_0-1689076641310.png" style="width: 618px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26204iD82F866447C4A6A6/image-dimensions/618x656?v=v2" width="618" height="656" role="button" title="GaetanVP_0-1689076641310.png" alt="GaetanVP_0-1689076641310.png" /></span></P><P>Hope it helps !<BR />GaetanVP</P> Tue, 11 Jul 2023 11:57:45 GMT GaetanVP 2023-07-11T11:57:45Z https://community.splunk.com/t5/Splunk-Search/Define-a-field-and-get-an-integer-value/m-p/649910#M224696 <P>Hello,&nbsp;</P><P>I have a log file that do not conform to the log4j standards.&nbsp;</P><P>The log file entry is as&nbsp;</P><P>Some text before. Mem=500/300</P><P>&nbsp;</P><P>I would like to write a script and get value of Field1=500 and Field2=300.&nbsp;</P><P>Then compute Field1 and Field2 (For. e.g Field2/Field1 &gt; 0.8), then trigger an alert.&nbsp;</P><P>&nbsp;</P><P>Appreciate any help on how this can be achieved.&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P> Mon, 10 Jul 2023 23:19:05 GMT https://community.splunk.com/t5/Splunk-Search/Define-a-field-and-get-an-integer-value/m-p/649910#M224696 dnikam 2023-07-10T23:19:05Z https://community.splunk.com/t5/Splunk-Search/Define-a-field-and-get-an-integer-value/m-p/649912#M224697 <P>No script is necessary.&nbsp; It can be done within your query like this</P><LI-CODE lang="markup">... | rex "Mem=(?&lt;Field1&gt;\d+)\/(?&lt;Field2&gt;\d+)" | eval ratio=exact(Field2/Field1) | where ratio&gt;0.8</LI-CODE><P>Have the alert trigger when the number of results is not zero.</P> Tue, 11 Jul 2023 00:13:52 GMT https://community.splunk.com/t5/Splunk-Search/Define-a-field-and-get-an-integer-value/m-p/649912#M224697 richgalloway 2023-07-11T00:13:52Z https://community.splunk.com/t5/Splunk-Search/Define-a-field-and-get-an-integer-value/m-p/649972#M224724 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258534">@dnikam</a>,</P><P>You could try the following :</P><LI-CODE lang="markup">| &lt;you_base_search&gt; | rex field=&lt;field_where_you_have_your_numerical_info&gt; "^\D*(?&lt;Field1&gt;\d*)\/(?&lt;Field2&gt;\d*)" | eval ratio=Field2/Field1 | fields ratio, Field1, Field2 | where ratio &gt; 0.8</LI-CODE><P><EM>If you run this search, it will <STRONG>display an event only if the ratio is actually above 0.8&nbsp;</STRONG></EM></P><P>You can simply click on the "save as" button, choose alert and complete the other info, be sure to trigger the alert when the number of results is greater than zero, and select the correct schedule time, for instance :&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GaetanVP_0-1689076641310.png" style="width: 618px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26204iD82F866447C4A6A6/image-dimensions/618x656?v=v2" width="618" height="656" role="button" title="GaetanVP_0-1689076641310.png" alt="GaetanVP_0-1689076641310.png" /></span></P><P>Hope it helps !<BR />GaetanVP</P> Tue, 11 Jul 2023 11:57:45 GMT https://community.splunk.com/t5/Splunk-Search/Define-a-field-and-get-an-integer-value/m-p/649972#M224724 GaetanVP 2023-07-11T11:57:45Z