- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to filter my search for a field only if the result is not a number
EG
Index=proxylogs where isnum(cs_user) - This gives me the results only if the cs_user field is a number, i want the opposite; to show me only the ones that are NOT a number
I have tried isStr but that still gives me the numerical answers as well. I have tried various combinations of NOT's but cannot seem to get it to display only the non-numericals.
Any help is greatly appreciated
V/r
-Brad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index=proxylogs ... | where NOT isnum(cs_user)
or
index=proxylogs .... | where isstr(cs_user)
check below links,
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For completion I would use the following perhaps:
index=proxylogs
| regex cs_user="\D+"
Where the regular expression \D refers to any non-numerical character and the plus means one or more occurrences.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the following:
<YourBaseSearch>
| where !(isnum(cs_user))
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, you're saying this didn't work?
index=proxylog | where NOT isnum(cs_user)
Give this a try as well.
index=proxylog | regex cs_user!="^[\d\.,]+$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index=proxylogs ... | where NOT isnum(cs_user)
or
index=proxylogs .... | where isstr(cs_user)
check below links,
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be aware that all of these answers are throwing away events where field cs_user has no value at all (e.g. isnull(cw_user) ) which you might care about, or might not.
