Solved: How do search fo fields after extraction?

wuming79 · ‎05-30-2017

I have created a search for the following on a data feed. The log will show in format below:
"2641328 [EPS-log-dispatcher-11] INFO 1.24978294676695149906 - {"Log Header": "{"endpointKeyHash":{"string":"MAz7MadOhr02tPt5vtZsSEy9FWw="},"applicationToken":{"string":"24978294676695149906"},"headerVersion":{"int":1},"timestamp":{"long":1495594584490},"logSchemaVersion":{"int":2}}", "Event": {"temperature":-1,"timeStamp":1495594583638}}"

I have a search to extract the fields I wanted as below and now I wanted to create an alert to trigger when temperature is above 50.
temperature sourcetype=kaa | rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})}$"| spath input=mydata | table _time, endpoint, temperature | eval threshold=50

Using the above example, I can't just add | temperature > 50. It says
"Search Factory: Unknown search command 'temperature'. "

How should I phrase my search?

dineshraj9 · ‎05-30-2017

You need to use it with where or search command -

<your search> | where temperature > 50

OR

<your search> | eval threshold=50 | where temperature > threshold

OR

<your search> | search temperature > 50

View solution in original post

dineshraj9 · ‎05-30-2017

You need to use it with where or search command -

<your search> | where temperature > 50

OR

<your search> | eval threshold=50 | where temperature > threshold

OR

<your search> | search temperature > 50

How do search fo fields after extraction?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation