I have a field called 'indication' which has values in the form of text - 123.1. I'm trying to set up an alert to detect an erroneous case where values of the form text - 123.1 - OTHER occurs. The key thing to note here is that the bug is when - OTHER is inserted in the field value. I'm trying to see if there's a way in which I can be alerted when the condition where -OTHER is followed by the number. (i.e., there are cases where "text-OTHER" can occur, which is not erroneous, so I want to exclude these cases in my alert). Also note that the 'text' portion is different for different fields, so I cannot set a condition on that.
For example, there are cases like:
"thisisrandomtext - 123.11 " (which is acceptable)
"morerandom texthere - 232.0" (which is acceptable)
"thisisra ndcoma gain - OTHER" (which is acceptable)
"thisisanerrorcase - 121.112 - OTHER" (which is an ERROR)
"thisisanerror again test - 123 - OTHER" (which is an ERROR)
So I guess the real indication of the error pattern would be a number followed by - and OTHER.
Is there some way I could break this field into 3 parts (text | number | - OTHER) using Rex and set up an alert when the last field has a value in it (i.e., detect the presence of -OTHER"?
Again, this does not look at the contents itself, only whether there are three parts or not. If you want to ensure that the second part is either "OTHER" or a number as specified, it gets more complicated:
... |rex field=indication "^([^-]+)\s*-\s*(?<middle>[0-9.]+|OTHER)(?<bad_data>\s*-.*)?"
| where isnull(bad_data) AND isnotnull(middle)
Based on the input and the description, you could also do this by doing a simple split (using makemv) and checking whether the third field is null or not. This is a simple solution and it does not look into the actual values.