Splunk Search
Highlighted

How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

Path Finder

Please find the sample entries of two log messages given below. I want a search condition to select a report with the value "reportReferenceNumber" : 0

Please help?

Log message 1

"report" : {
    "reportReferenceNumber" : 0,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}

Log message 2

"report" : {
    "reportReferenceNumber" : 1323,
    "report" : {
      "venue" : {
        "locationId" :2,
        "landmark" : "opp to station",
        ..
     }
}
0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

Influencer
... | rex (?m) reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W | search REPORT_REFERENCE_NUMBER = 0

You can extract the number into a field and filter on it

0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

Path Finder

Sorry for the delayed response. Your suggestion not working.
Getting the following error. I used exactly as you described.

⚠Error in 'rex' command: The regex '(?m)' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

SplunkTrust
SplunkTrust

The rex command argument needs to be in quotation marks.

... | rex "(?m)reportReferenceNumber\W\s\W\s(?P<REPORT_REFERENCE_NUMBER>.\d+)\W" |...
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

Path Finder

No result apearing when I combine your suggestion (richgalloway) with search REPORTREFERENCENUMBER= 0
when I remove search REPORTREFERENCENUMBER= 0, I am getting too many result.

0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

SplunkTrust
SplunkTrust

You can also filter without the field extraction

index=foo sourcetype=bar  "\"reportReferenceNumber\" : 0" | rest of the search ....
0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

Path Finder

sorry for the delayed response. your suggestion not working. Getting "No record" found error

0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

SplunkTrust
SplunkTrust

Somesoni2's answer should have worked. Try this:

... | rex "reportReferenceNumber\"\s:\s(?P<report_reference_number>\d+)" | search report_reference_number=0 | ...

It works with your sample logs in regex101.com.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

Path Finder

When I use your query I am getting "unbalanced query" error. but when I try using query below, No response again.

rex "\"crimeReferenceNumber\"\s:\s(?P\d+)" | search crimereferencenumber=0

0 Karma
Highlighted

Re: How do I search for a field with the value 0 in this format in my logs? "reportReferenceNumber" : 0

SplunkTrust
SplunkTrust

I left out an escape character. Please try my updated answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma