Splunk Enterprise

How do search fo fields after extraction?

wuming79
Path Finder

I have created a search for the following on a data feed. The log will show in format below:
"2641328 [EPS-log-dispatcher-11] INFO 1.24978294676695149906 - {"Log Header": "{"endpointKeyHash":{"string":"MAz7MadOhr02tPt5vtZsSEy9FWw="},"applicationToken":{"string":"24978294676695149906"},"headerVersion":{"int":1},"timestamp":{"long":1495594584490},"logSchemaVersion":{"int":2}}", "Event": {"temperature":-1,"timeStamp":1495594583638}}"

I have a search to extract the fields I wanted as below and now I wanted to create an alert to trigger when temperature is above 50.
temperature sourcetype=kaa | rex field=_raw "\"endpointKeyHash\":{\"string\":\"(?[^\"])\".\"Event\": (?{.*})}$"| spath input=mydata | table _time, endpoint, temperature | eval threshold=50

Using the above example, I can't just add | temperature > 50. It says
"Search Factory: Unknown search command 'temperature'. "

How should I phrase my search?

Tags (1)
0 Karma
1 Solution

dineshraj9
Builder

You need to use it with where or search command -

<your search> | where temperature > 50

OR

<your search> | eval threshold=50 | where temperature > threshold

OR

<your search> | search temperature > 50

View solution in original post

0 Karma

dineshraj9
Builder

You need to use it with where or search command -

<your search> | where temperature > 50

OR

<your search> | eval threshold=50 | where temperature > threshold

OR

<your search> | search temperature > 50
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...