Splunk Search

How to create a condition based on the number of digits of a value?

andres91302
Communicator

Hello Talented People of the wordl!

I hope you are having a great day, I wish to know if there is a way to have a YES or NOT output of the number of digits in each row is greater than a  certain limit, for example: I want the column MET equal to true if the number of digits in the raws of the field ID is greater than 9 .. kind of like this:

IDMET
123456789NOT
548554569362YES
14521421NOT
1254NOT
4858466358475248YES

 

lets say that my search begings as follows: 

index="medic_dni" ID=* | field ID

#######################################################################
STAGE 2=
I would wonder how would the code would have to look like if the column ID would show some values witha string followed by the (-) sign and then a string of  numbers something like this:  ID-47855478554 OR IDUSA-47854785545 or something like this: IDSPAIN-7854545454

How can I obtain the following table

ID

ID_ONLY_NUMBERSNUMBERS_GREATER_THAN_9
ID-4785547855484147855478554YES
IDUSA-4785478554552197247854785545YES
IDSPAIN-7854545454745887854545454YES


THANK YOU SO  SO MUCH TO ANYONE WHO WOULD LIKE TO HELP I TRULLY FROM THE BOTTOM OF MY HEART THANK YOU 

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@andres91302 

I'm assuming the ID_ONLY_NUMBERS column in your example is not what you would expect with the data in your ID column as the numbers are not the same, however, you can paste this example to a search window which simulates your data.

The last two lines of the search will give you what you need.

| makeresults
| eval _raw="ID
ID-47855478554841
IDUSA-47854785545521972
IDSPAIN-785454545474588
IDUK-123456789"
| multikv forceheader=1
| fields - _time linecount _raw
| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"
| eval NUMBERS_GREATER_THAN_9=if(len(ID_ONLY_NUMBERS)>9,"YES","NO")

 Hope this helps

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

@andres91302 

I'm assuming the ID_ONLY_NUMBERS column in your example is not what you would expect with the data in your ID column as the numbers are not the same, however, you can paste this example to a search window which simulates your data.

The last two lines of the search will give you what you need.

| makeresults
| eval _raw="ID
ID-47855478554841
IDUSA-47854785545521972
IDSPAIN-785454545474588
IDUK-123456789"
| multikv forceheader=1
| fields - _time linecount _raw
| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"
| eval NUMBERS_GREATER_THAN_9=if(len(ID_ONLY_NUMBERS)>9,"YES","NO")

 Hope this helps

 

andres91302
Communicator

@bowesmana  hey man! I am not going to waste any time taking your answer as the solution because you nailed it! 10/10  I have to praise you!

 

I would be so thankful if you could please tell me how this regular expression works as I cant seem to find documentation about it

| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"

and this one

| multikv forceheader=1

thank you so much my friend 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The rex command is documented here

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/SearchReference/Rex

as for regular expressions, there are many sites that will help you learn about those

This is a good site for testing regular expressions

https://regex101.com/

You can see how the regex works from that rex command with that site

As for multikv, that's also documented on the Splunk site above. It's quite commonly used in examples here to set up some data.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...