Archive

regex help text and numeric value

New Member

Hi, I have a following text coming in splunk

abcd, 2000-01-10 10:40:43, P:welcome, welcome_to_all, 0, 2000-01-10 16:09:04
abcd, 2000-01-10 10:40:45, P:welcome, welcome_to_all, 1, 2000-01-10 16:10:04

I want to write a search which will get me only having text "welcometoall" and the next field should be greater than or equal to 1.

I am able to write the regex but regex _raw="(welcome_to_all,\d{0})" but not sure how to get the greater than 1. The regex which I wrote is pulling all 0 but I need which are greater than 0.

Thanks,

Tags (2)
0 Karma

Builder

I think you can use welcome_to_all,s[0,100+] not totally sure if this is true, you might also be able to use >100 in your rex statement.

0 Karma

New Member

Hi, thanks for your responses. Let me elaborate. The values that comes after the string "welcometoall" is a string and what "richgalloway" said is correct it helps me resolve my issue, but I have another question,

  1. How do I find if its greater than 100, I want to get the strings which are having greater than 100 or more?

With the current rex "welcometoall,\s[100]" I will be getting only value 100 but if I want to get values like '0', and above 100 what should I do?

abcd, 2000-01-10 10:40:43, P:welcome, welcometoall, 0, 2000-01-10 16:09:04
abcd, 2000-01-10 10:40:45, P:welcome, welcometoall, 1, 2000-01-10 16:10:04

Thanks for your help

0 Karma

SplunkTrust
SplunkTrust

Hi dbashyam,

try something like this:

rex "all,\s[0],{1}|all,\s1\d{2},"

this will match 0 or 100-199

cheers, MuS

0 Karma

SplunkTrust
SplunkTrust

I think you were close. Try

rex "welcome_to_all,\s[^0]"
---
If this reply helps you, an upvote would be appreciated.

Builder

Please explain in more depth, as I'm not totally sure what the equal to 1 or greater than 1 means?

I think the solution could be a simple search with an IF statement? Just an idea, if you put some more depth in, with what you want, and an example, I'll be able to help.

0 Karma