topic Re: How to find field data that does not match expected output in Splunk Search

How to find field data that does not match expected output

vincenp2 — Wed, 10 Jan 2018 08:13:05 GMT

I am collecting data from a field that should contain a 9 digit number.
I am finding that there are some instances where this field is blank, or contains alphanumeric characters

In order to quantify the issue (and identify this other content), could anyone advise what search query can I use to identify these events where the field does NOT contain a 9 digit number please ?

Re: How to find field data that does not match expected output

mayurr98 — Wed, 10 Jan 2018 08:26:30 GMT

hey @vincenp2

Try this run anywhere search

| makeresults | eval your_field="123456789" | rex field=your_field "(?P<field1>^\d{9})"

your_field is the field that contains blank,9 digit and alphanumeric characters/numbers and field1 is the one with only 9 digit number which you can use for further analysis.

In your environment you should write

    <your_base_search>|  rex field=your_field "(?P<field1>^\d{9})"

chekc for field1 values which you can use in search query instead your_field

Let me know if this works!

Re: How to find field data that does not match expected output

micahkemp — Wed, 10 Jan 2018 15:31:00 GMT

rex field=your_field "^(?<expected_field>[0-9]{9})$" | search NOT expected_field=*

Re: How to find field data that does not match expected output

vincenp2 — Thu, 11 Jan 2018 13:00:10 GMT

Thanks for the input - it didn't quite produce what I was wanting - whether that was me getting it wrong somewhere or not I'm not sure - the accepted answer has provided the info I needed _ I don't know if from this you can get an understanding of the differences?

Thanks for replying though, much appreciated 🙂

Re: How to find field data that does not match expected output

vincenp2 — Thu, 11 Jan 2018 13:01:22 GMT

Thanks very much for this - it has provided me with a list of all events that do NOT contain a 9 digit number in the field, which is exactly what I wanted 🙂

Re: How to find field data that does not match expected output

mayurr98 — Thu, 11 Jan 2018 13:04:36 GMT

hey this also gives same output just that you need to filter out events

 <your_base_search>|  rex field=your_field "(?P<field1>^\d{9})" | search NOT field1=*

Re: How to find field data that does not match expected output

micahkemp — Sat, 13 Jan 2018 05:19:15 GMT

I think the issue with your regex may be that it doesn't enforce that there are no additional characters after the nine digits.