I am trying to filter my search for a field only if the result is not a number
EG
Index=proxylogs where isnum(cs_user) - This gives me the results only if the cs_user field is a number, i want the opposite; to show me only the ones that are NOT a number
I have tried isStr but that still gives me the numerical answers as well. I have tried various combinations of NOT's but cannot seem to get it to display only the non-numericals.
Any help is greatly appreciated
V/r
-Brad
Index=proxylogs ... | where NOT isnum(cs_user)
or
index=proxylogs .... | where isstr(cs_user)
check below links,
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
For completion I would use the following perhaps:
index=proxylogs
| regex cs_user="\D+"
Where the regular expression \D refers to any non-numerical character and the plus means one or more occurrences.
Thanks,
J
Try the following:
<YourBaseSearch>
| where !(isnum(cs_user))
So, you're saying this didn't work?
index=proxylog | where NOT isnum(cs_user)
Give this a try as well.
index=proxylog | regex cs_user!="^[\d\.,]+$"
Index=proxylogs ... | where NOT isnum(cs_user)
or
index=proxylogs .... | where isstr(cs_user)
check below links,
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
You should be aware that all of these answers are throwing away events where field cs_user
has no value at all (e.g. isnull(cw_user)
) which you might care about, or might not.