Archive

Check for only non-numeric value in an extracted field

Explorer

I have following string:

2011-12-01T13:31:25-05:0063487210, TEST# 67779806

I have written the following search string:

host="source" source="Out.log" "TEST# "| rex "TEST# (?<test_no>\t+) "

I want to check if "TEST#" contains any non-numeric values (TEST# must contain all numeric field so that the child applications work properly. Child applications can't handle non-numeric value in TEST# field).

How can I check and alert incase there is some non-numeric value in TEST# field.

Please advice.

Tags (2)
0 Karma
1 Solution

Legend

I don't get the test_no extraction. It seems to match one or more tabs after TEST#? Typo?

Anyway regarding the question, how to check if a field has numeric content only: either use regex:

... | regex test_no="^\d+$"

Or where with the function isnum:

... | where isnum(test_no)

View solution in original post

Explorer

Thanks a lot for the answer. I was able to solve the issue.

0 Karma

SplunkTrust
SplunkTrust

That's good. Please use the "accept answer" checkbox next to one of the answers to accept it and mark the question as "answered".

0 Karma

Ultra Champion

Have you looked at eval or where?

There is a function for eval (and where) which is called isnum(X), which may may be what you need.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

hope this helps,

/kristian

Legend

I don't get the test_no extraction. It seems to match one or more tabs after TEST#? Typo?

Anyway regarding the question, how to check if a field has numeric content only: either use regex:

... | regex test_no="^\d+$"

Or where with the function isnum:

... | where isnum(test_no)

View solution in original post

Ultra Champion

I'll have to learn to finish my answer and hit that "post your answer" button.... 🙂

0 Karma