Define a field and get an integer value

dnikam · ‎07-10-2023

Hello,

I have a log file that do not conform to the log4j standards.

The log file entry is as

Some text before. Mem=500/300

I would like to write a script and get value of Field1=500 and Field2=300.

Then compute Field1 and Field2 (For. e.g Field2/Field1 > 0.8), then trigger an alert.

Appreciate any help on how this can be achieved.

Thanks,

GaetanVP · ‎07-11-2023

Hello @dnikam,

You could try the following :

| <you_base_search>
| rex field=<field_where_you_have_your_numerical_info> "^\D*(?<Field1>\d*)\/(?<Field2>\d*)"
| eval ratio=Field2/Field1
| fields ratio, Field1, Field2
| where ratio > 0.8

If you run this search, it will display an event only if the ratio is actually above 0.8

You can simply click on the "save as" button, choose alert and complete the other info, be sure to trigger the alert when the number of results is greater than zero, and select the correct schedule time, for instance :

Hope it helps !
GaetanVP

richgalloway · ‎07-10-2023

No script is necessary. It can be done within your query like this

...
| rex "Mem=(?<Field1>\d+)\/(?<Field2>\d+)"
| eval ratio=exact(Field2/Field1)
| where ratio>0.8

Have the alert trigger when the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.

Define a field and get an integer value

regex

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Define a field and get an integer value

regex

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES