Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you find true or false value in the following string?

abhishekgandhe
Explorer
‎10-16-2018 12:10 AM

Hi,

I have to find the value of true or false from the following string in logfile. Below are 2 strings with either a true or false value. I just want to find a string with a false value and create an alert.

How do I achieve this?

batchId ==>9459a2b3-871c-4f1b-aece-feb905121b3f==false
batchId ==>14c86ffd-2ae5-4848-995e-6923485c9ed6==true

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MousumiChowdhur
Contributor
‎10-17-2018 04:24 AM

Hi @abhishekgandhe

You can write a regular expression to extract the batch id and the true/false value.
Regex to extract batchId - (batchId)\s+\=\=\>(?P<batchID>\d+[^\=]+)
Regex to extract true/false value - batchId\s+\=\=\>[0-9a-f\-]+\=\=(?P<value>\w+[^\s+]+)

You can then find out all the events for which value="false", get the respective batchId and set an alert.
Let me know if that works for you.

Thank You!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MousumiChowdhur
Contributor
‎10-17-2018 04:24 AM

Hi @abhishekgandhe

You can write a regular expression to extract the batch id and the true/false value.
Regex to extract batchId - (batchId)\s+\=\=\>(?P<batchID>\d+[^\=]+)
Regex to extract true/false value - batchId\s+\=\=\>[0-9a-f\-]+\=\=(?P<value>\w+[^\s+]+)

You can then find out all the events for which value="false", get the respective batchId and set an alert.
Let me know if that works for you.

Thank You!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2018 04:11 AM

Searching for a specific string in Splunk is a matter of specifying that string in your query. For example, index=foo "false" | ... will return all events with "false" in them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

abhishekgandhe
Explorer
‎10-16-2018 07:33 PM

My mistake. I should have given full requirement.

I want to first find the batchID and then corresponding true/false value for it.

Thanks

0 Karma
Reply
Solved! Jump to solution

abhishekgandhe
Explorer
‎10-17-2018 02:59 AM

Here are some logs

{"message":[{"raw":"Lab checkRcReady for batchId ==>2d465022-fb3a-4584-a9c4-6cec867e6694==true :: Output Quality 41.6289592760181%","severityLevel":"Informational","timestamp":"2018-10-17T09:30:47+00:00","sourceType":"LOGBack","loggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl","level":"INFO","threadName":"pool-29-thread-1"}],"internal":{"data":{"id":"5665ef35-d1ef-11e8-9c0f-9b51e6fd477d","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-10-17T09:30:47.923Z","isSynthetic":false,"samplingRate":100.0},"device":{"id":"e5fae3de5734","type":"PC","osVersion":"Linux","roleInstance":"e5fae3de5734","deviceName":"Other","deviceModel":"Other","locale":"en-US","browser":"Apache-HttpClient","browserVersion":"Apache-HttpClient 4.5","screenResolution":{}},"user":{"isAuthenticated":false},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{"LoggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl"},{"LoggingLevel":"INFO"},{"SourceType":"LOGBack"},{"TimeStamp":"Wed, 17 Oct 2018 09:30:47 GMT"},{"systemGuid":"9516e36a-e5e9-4ec5-a449-edcaeb5f227f"},{"pointId":"fi_12101_01.pv_ag"},{"ThreadName":"pool-29-thread-1"},{"endTime":"1539232140000"}]}}}
... 3 lines omitted ...
{"message":[{"raw":"Critical-Lab checkRcReady for batchId ==>16cfe3ea-52be-4017-b2b2-aedbb360d150==true :: Output Quality 0.0%","severityLevel":"Informational","timestamp":"2018-10-17T09:30:49+00:00","sourceType":"LOGBack","loggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl","level":"INFO","threadName":"pool-29-thread-1"}],"internal":{"data":{"id":"5665ef39-d1ef-11e8-9c0f-9b51e6fd477d","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-10-17T09:30:49.321Z","isSynthetic":false,"samplingRate":100.0},"device":{"id":"e5fae3de5734","type":"PC","osVersion":"Linux","roleInstance":"e5fae3de5734","deviceName":"Other","deviceModel":"Other","locale":"en-US","browser":"Apache-HttpClient","browserVersion":"Apache-HttpClient 4.5","screenResolution":{}},"user":{"isAuthenticated":false},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{"LoggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl"},{"LoggingLevel":"INFO"},{"SourceType":"LOGBack"},{"TimeStamp":"Wed, 17 Oct 2018 09:30:49 GMT"},{"systemGuid":"9516e36a-e5e9-4ec5-a449-edcaeb5f227f"},{"pointId":"fi_12101_01.pv_ag"},{"ThreadName":"pool-29-thread-1"},{"endTime":"1539239340000"}]}}}
... 9 lines omitted ...
{"message":[{"raw":"Critical-Lab checkRcReady for batchId ==>85d82866-11be-447d-a06c-5ed1bb727a13==true :: Output Quality 0.0%","severityLevel":"Informational","timestamp":"2018-10-17T09:30:52+00:00","sourceType":"LOGBack","loggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl","level":"INFO","threadName":"pool-29-thread-1"}],"internal":{"data":{"id":"598e0a35-d1ef-11e8-8b3a-4b8260d9fc0d","documentVersion":"1.61"}},"context":{"data":{"eventTime":"2018-10-17T09:30:52.616Z","isSynthetic":false,"samplingRate":100.0},"device":{"id":"e5fae3de5734","type":"PC","osVersion":"Linux","roleInstance":"e5fae3de5734","deviceName":"Other","deviceModel":"Other","locale":"en-US","browser":"Apache-HttpClient","browserVersion":"Apache-HttpClient 4.5","screenResolution":{}},"user":{"isAuthenticated":false},"session":{"isFirst":false},"operation":{},"location":{"clientip":"0.0.0.0","continent":"North America","country":"United States","province":"Virginia","city":"Boydton"},"custom":{"dimensions":[{"LoggerName":"com.honeywell.pmt.cps.service.JobformationServiceImpl"},{"LoggingLevel":"INFO"},{"SourceType":"LOGBack"},{"TimeStamp":"Wed, 17 Oct 2018 09:30:52 GMT"},{"systemGuid":"9516e36a-e5e9-4ec5-a449-edcaeb5f227f"},{"pointId":"fi_12101_01.pv_ag"},{"ThreadName":"pool-29-thread-1"},{"endTime":"1539404040000"}]}}}

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-18-2018 04:56 AM

Try this

... | rex "batchId\s==>(?<batchId>[^=]+)==(?<batchIdBoolean>\w+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

MousumiChowdhur
Contributor
‎10-16-2018 09:05 PM

Hi @abhishekgandhe ,

Can you share a few sample events?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...