'BuildInfo' field as "ABCYYYY_Number|XYZ" for eg "...

VS0909 · ‎09-13-2020

I have 'BuildInfo' field as "ABCYYYY_Number|XYZ" for eg "ABC2020_17|XYZ.

Number will be keep increasing for a year( like 1, 2, 3, 4.....) . For next year the Number will again reset to 1 and then keep increasing. "ABC2021_1|XYZ"

I want to compare "error1" in consecutive "BuildInfo" . Please help

ITWhisperer · ‎09-14-2020

It is not entirely clear what you are after. if you want to remove the year and build number from the field so that you can then group by build name then do something like this

| rex field=BuildInfo mode=sed "s/\d{4}_\d+|/|/g"

You can probably then use _time to order your log entries. If you still need the BuildInfo, then copy it to another field and edit that

If you need the year and build number extracted as a number so you can do numerical ordering (2020_1, 2020_2, ...2020_9, 2020_10, ...) rather than lexicographical ordering (2020_1, 2020_10, 2020_2, ...) then you could try something like this

| rex field=BuildInfo "\w+(?<year>\d{4})_(?<build>\d+)|"
| eval combined=(tonumber(year) * 1000) + tonumber(build)

This assumes you don't have 1000+ builds per year. You could also probably just use the last two digits of the year if you like.

'BuildInfo' field as "ABCYYYY_Number|XYZ" for eg "ABC2020_17|XYZ. Compare "error1" in consecutive "BuildInfo"

count

field extraction

fields

regex

rex

stats

transaction

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

'BuildInfo' field as "ABCYYYY_Number|XYZ" for eg "ABC2020_17|XYZ. Compare "error1" in consecutive "BuildInfo"