Solved: Dynamically analyze fields?

sf_user_199 · ‎08-23-2011

I have some data that looks like this:

priority=INFO thread= location= line= field1=OK,field2=OK,field3=OK....field45=OK

What I need to do is analyze field1 through field45 (the number may change) to see if they all equal 'OK'. If not 'OK' then alert. The field names do not all start with the same thing (so no field*).

I can, however, do something like this in the search:

| rex "(?i)line=[\d]\w(?P.*)" | fields host,kv_pairs_to_check| makemv kv_pairs_to_check delim=","

This is kinda giving me the data I want, but not really, and I haven't been able to figure out how to check every kv pair if the value is 'OK' for all of them.

fk319 · ‎08-24-2011

how about instead of putting them in a seperate field, use the same field.?

at the moment I am not sure, but if you know the total and the number of OK's are not the same then error, or regex out the OK and report what is left over?

Probably not very helpfull, but maybe someone else can expand on this idea...

View solution in original post

fk319 · ‎08-24-2011

how about instead of putting them in a seperate field, use the same field.?

at the moment I am not sure, but if you know the total and the number of OK's are not the same then error, or regex out the OK and report what is left over?

Probably not very helpfull, but maybe someone else can expand on this idea...

sf_user_199 · ‎08-24-2011

I won't know the exact numbers, so counting is out. Looking for =[^O] is a great idea, however. I'm going to play around with that...

fk319 · ‎08-24-2011

ok, I was think about this a different way, could you take your list of fields as just one field and search to see if you have a regex of '=[^O]' ?

Dynamically analyze fields?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!