Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Compare values in search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I've read through some of the other questions on here to try and find an answer to my question, but i'm still not 100% sure so here goes.
I am running this search:
sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="12" [BalanceEmail]
Basically, the short story is that a bunch of emails go out to clients. there usually is always a set number of emails that are supposed to go out and in the logs, it will state something like this:
[BalanceEmail] Total number of registrars' email to be sent: 125
[BalanceEmail]125 of 125 of email notification sent.
Processed 125 records in step 1
What I'd like to do is out of the results I got from running the above search, I want to then match up the total number of emails to be sent with how many actually were sent out. If the number sent out is less then the number to be sent, I'll generate an email to go out if the search results indicate the value is less then the number of emails that were supposed to go out:
I'm still a little new to all of this so having a hard time weeding through all the options I might have. Suggestions?
I'm wondering if I should extract [BalanceEmail] as a new field. I was going to try that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure there's enough information here for a proper answer, but here's an attempt:
It looks like you just need either a field extraction or a rex command to pulls out the two numbers from this event:
[BalanceEmail]125 of 125 of email notification sent.
And the other events are not important?
Say that you had those fields extracted, and one was called totalEmailsToSend, and the other was called totalEmailsSent. If that's the case then this search would filter your results down to just the rows that had sent less than they were supposed to:
<your search> | where totalEmailsToSend < totalEmailsSent
And you'd run that search on a schedule and have it email you if it ever matches one or more events.
And a regex that would do it would be:
^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\.
To try and put it all together (just using rex for now)
sourcetype="cron_BalanceEmail" source="asia" starthoursago="12" "[BalanceEmail]" email notification sent | rex field=_raw "^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\." | where totalEmailsToSend < totalEmailsSent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure there's enough information here for a proper answer, but here's an attempt:
It looks like you just need either a field extraction or a rex command to pulls out the two numbers from this event:
[BalanceEmail]125 of 125 of email notification sent.
And the other events are not important?
Say that you had those fields extracted, and one was called totalEmailsToSend, and the other was called totalEmailsSent. If that's the case then this search would filter your results down to just the rows that had sent less than they were supposed to:
<your search> | where totalEmailsToSend < totalEmailsSent
And you'd run that search on a schedule and have it email you if it ever matches one or more events.
And a regex that would do it would be:
^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\.
To try and put it all together (just using rex for now)
sourcetype="cron_BalanceEmail" source="asia" starthoursago="12" "[BalanceEmail]" email notification sent | rex field=_raw "^\[BalanceEmail\](?<totalEmailsSent>[\d]+) of (?<totalEmailsToSend>[\d]+) of email notification sent\." | where totalEmailsToSend < totalEmailsSent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It makes sense, but the regex that I included as an example would indeed only match that line and it shouldn't match any other of your events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually looking today I think i ran into a problem.
[BalanceEmail]125 of 125 of email notification sent. If all I want to do is extract the first number and call it TotalEmailsSent and then extract the second number and call it TotalEmailsToSend it appears to be a bit difficult because when I do extract that area as a field, it's also recognizing other things I do not want when I test the field extraction. I only want the numbers from the line that starts with [BalanceEmail] and no other numbers from other lines that may start with something else....if that makes sense....:/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That actually did work. I was able to use the field extractor and create the search. I don't know why but I tried this the other day and must have did something wrong. I'm going to test this a bit more but I believe this worked. 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
