Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Define a field and get an integer value

dnikam
New Member
‎07-10-2023 04:19 PM

Hello, 

I have a log file that do not conform to the log4j standards. 

The log file entry is as 

Some text before. Mem=500/300

 

I would like to write a script and get value of Field1=500 and Field2=300. 

Then compute Field1 and Field2 (For. e.g Field2/Field1 > 0.8), then trigger an alert. 

 

Appreciate any help on how this can be achieved. 

 

Thanks,

 

Labels (1)
Labels
0 Karma
Reply

GaetanVP
Contributor
‎07-11-2023 04:57 AM

Hello @dnikam,

You could try the following :

| <you_base_search>
| rex field=<field_where_you_have_your_numerical_info> "^\D*(?<Field1>\d*)\/(?<Field2>\d*)"
| eval ratio=Field2/Field1
| fields ratio, Field1, Field2
| where ratio > 0.8

If you run this search, it will display an event only if the ratio is actually above 0.8 

You can simply click on the "save as" button, choose alert and complete the other info, be sure to trigger the alert when the number of results is greater than zero, and select the correct schedule time, for instance : 

GaetanVP_0-1689076641310.png

Hope it helps !
GaetanVP

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2023 05:13 PM

No script is necessary.  It can be done within your query like this

...
| rex "Mem=(?<Field1>\d+)\/(?<Field2>\d+)"
| eval ratio=exact(Field2/Field1)
| where ratio>0.8

Have the alert trigger when the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...