Splunk Search

How do I split the values of a field which have a pattern?

New Member

I have a field called 'indication' which has values in the form of text - 123.1. I'm trying to set up an alert to detect an erroneous case where values of the form text - 123.1 - OTHER occurs. The key thing to note here is that the bug is when - OTHER is inserted in the field value. I'm trying to see if there's a way in which I can be alerted when the condition where -OTHER is followed by the number. (i.e., there are cases where "text-OTHER" can occur, which is not erroneous, so I want to exclude these cases in my alert). Also note that the 'text' portion is different for different fields, so I cannot set a condition on that.

For example, there are cases like:

"thisisrandomtext - 123.11 " (which is acceptable)
"morerandom texthere - 232.0" (which is acceptable)
"thisisra ndcoma gain - OTHER" (which is acceptable)
"thisisanerrorcase - 121.112 - OTHER" (which is an ERROR)
"thisisanerror again test - 123 - OTHER" (which is an ERROR)

So I guess the real indication of the error pattern would be a number followed by - and OTHER.

Is there some way I could break this field into 3 parts (text | number | - OTHER) using Rex and set up an alert when the last field has a value in it (i.e., detect the presence of -OTHER"?

Thank you so much!

0 Karma


Hi again,

As tom_frotscher pointed out, there is more than one way to do it (TIMTOWTDI) . If you prefer to use rex, this should do it:

... |rex field=indication "([^-]+-){2}(?<bad_data>.+)$" |where isnull(bad_data)

Again, this does not look at the contents itself, only whether there are three parts or not. If you want to ensure that the second part is either "OTHER" or a number as specified, it gets more complicated:

... |rex field=indication "^([^-]+)\s*-\s*(?<middle>[0-9.]+|OTHER)(?<bad_data>\s*-.*)?"
  | where isnull(bad_data) AND isnotnull(middle)
0 Karma


Hi aramkrishnan,

Based on the input and the description, you could also do this by doing a simple split (using makemv) and checking whether the third field is null or not. This is a simple solution and it does not look into the actual values.

...|eval ind_split=indication |makemv delim="-" ind_split |eval error_detected=if(isnotnull(mvindex(ind_split,2)),1,0) |where error_detected=0

(If you know that the dash is always surrounded by spaces, you could also use delim=" - ".)

0 Karma



there are many ways to get this solved. For example you can use the regex command to filter with regex:

So try to append this to your current search:

... | regex indication="\d+\s-\sOTHER"

The regex just says, one or more digits (so this is for your number), followed by exactly one space, the "-" symbol, one more space and "OTHER".

Here is also a small run everywhere example, that you can simply copy and paste into your search bar:

| stats count | eval indication = "thisisra ndcoma gain - OTHER" | append [| stats count | eval indication = "thisisanerrorcase - 121.112 - OTHER"] | regex indication ="\d+\s-\sOTHER"



0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!