Splunk Search

How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

Path Finder

Please find the sample entries of two log messages given below. I want a search condition to select a report with the value "reportReferenceNumber" : 0

Please help?

Log message 1

"report" : {
    "reportReferenceNumber" : 0,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}

Log message 2

"report" : {
    "reportReferenceNumber" : 1323,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}
0 Karma

Champion

You should be able to use the regex command to filter on events that match a criteria. What does your base search look like? Is that full log entry one event in your env? Something like this should work, but if none of these suggestions are working for you, then we may need a little more context...

[your base search] | regex "\"reportReferenceNumber\" : 0," | [stuff to do with the results]
0 Karma

SplunkTrust
SplunkTrust

Somesoni2's answer should have worked. Try this:

... | rex "reportReferenceNumber\"\s:\s(?P<report_reference_number>\d+)" | search report_reference_number=0 | ...

It works with your sample logs in regex101.com.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

When I use your query I am getting "unbalanced query" error. but when I try using query below, No response again.

rex "\"crimeReferenceNumber\"\s:\s(?P\d+)" | search crimereferencenumber=0

0 Karma

SplunkTrust
SplunkTrust

I left out an escape character. Please try my updated answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

You can also filter without the field extraction

index=foo sourcetype=bar  "\"reportReferenceNumber\" : 0" | rest of the search ....
0 Karma

Path Finder

sorry for the delayed response. your suggestion not working. Getting "No record" found error

0 Karma

Influencer
... | rex (?m) reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W | search REPORT_REFERENCE_NUMBER = 0

You can extract the number into a field and filter on it

0 Karma

Path Finder

Sorry for the delayed response. Your suggestion not working.
Getting the following error. I used exactly as you described.

⚠Error in 'rex' command: The regex '(?m)' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma

SplunkTrust
SplunkTrust

The rex command argument needs to be in quotation marks.

... | rex "(?m)reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W" |...
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

No result apearing when I combine your suggestion (richgalloway) with search REPORTREFERENCENUMBER= 0
when I remove search REPORTREFERENCENUMBER= 0, I am getting too many result.

0 Karma