Solved: How do I make a Splunk query to find where X is gr...

compguy · ‎02-26-2019

I have a log: "TOTAL NUMBER OF RECORDS IS:0"

I need to Query it in a way that it finds a log message if the number of records turns out to be more than 0.

I have tried the following

sourcetype = Mylogs | rex "\d+:\d+:\d+\s(?< TOTAL NUMBER OF RECORDS IS:>\d+)$" | where TOTAL NUMBER OF RECORDS IS:>=25

It gives a terminator Error. I have tried with it does not show up. Is there a way?

damann · ‎02-27-2019

I guess your provided log example is just a part of the original event.

Try the following query for your regex:

basesearch | rex "TOTAL NUMBER OF RECORDS IS:(?<totalRecords>\d+)" | where totalRecords >= 25

damann · ‎02-27-2019

I guess your provided log example is just a part of the original event.

Try the following query for your regex:

basesearch | rex "TOTAL NUMBER OF RECORDS IS:(?<totalRecords>\d+)" | where totalRecords >= 25

richgalloway · ‎02-27-2019

There are a few things wrong with that query.

The regular expression looks for 3 sets of digits separated by colons. That doesn't match your example. Try TOTAL NUMBER OF RECORDS IS:(?<field>\d+). You may even get by with :(?\<field>d+).
The field name in your query should not have spaces in it. Try something like TotalNumberOfRecords.
Field names can't contain colons. That's probably the source of the error message.

Try this query: sourcetype=mylogs | rex ":\d+(?<TotalNumberOfRecords>\d+)" | where TotalNumberOfRecords>=25

---
If this reply helps you, Karma would be appreciated.

compguy · ‎02-27-2019

That query throws a field too long error

compguy · ‎02-27-2019

But :(?\<field>d+) works

How do I make a Splunk query to find where X is greater than 0?