Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a condition based on the number of digits of a value?

andres91302
Communicator
‎04-06-2021 07:04 PM

Hello Talented People of the wordl!

I hope you are having a great day, I wish to know if there is a way to have a YES or NOT output of the number of digits in each row is greater than a  certain limit, for example: I want the column MET equal to true if the number of digits in the raws of the field ID is greater than 9 .. kind of like this:

IDMET
123456789NOT
548554569362YES
14521421NOT
1254NOT
4858466358475248YES

 

lets say that my search begings as follows: 

index="medic_dni" ID=* | field ID

#######################################################################
STAGE 2=
I would wonder how would the code would have to look like if the column ID would show some values witha string followed by the (-) sign and then a string of  numbers something like this:  ID-47855478554 OR IDUSA-47854785545 or something like this: IDSPAIN-7854545454

How can I obtain the following table

ID

ID_ONLY_NUMBERSNUMBERS_GREATER_THAN_9
ID-4785547855484147855478554YES
IDUSA-4785478554552197247854785545YES
IDSPAIN-7854545454745887854545454YES


THANK YOU SO  SO MUCH TO ANYONE WHO WOULD LIKE TO HELP I TRULLY FROM THE BOTTOM OF MY HEART THANK YOU 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 09:56 PM

@andres91302 

I'm assuming the ID_ONLY_NUMBERS column in your example is not what you would expect with the data in your ID column as the numbers are not the same, however, you can paste this example to a search window which simulates your data.

The last two lines of the search will give you what you need.

| makeresults
| eval _raw="ID
ID-47855478554841
IDUSA-47854785545521972
IDSPAIN-785454545474588
IDUK-123456789"
| multikv forceheader=1
| fields - _time linecount _raw
| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"
| eval NUMBERS_GREATER_THAN_9=if(len(ID_ONLY_NUMBERS)>9,"YES","NO")

 Hope this helps

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 09:56 PM

@andres91302 

I'm assuming the ID_ONLY_NUMBERS column in your example is not what you would expect with the data in your ID column as the numbers are not the same, however, you can paste this example to a search window which simulates your data.

The last two lines of the search will give you what you need.

| makeresults
| eval _raw="ID
ID-47855478554841
IDUSA-47854785545521972
IDSPAIN-785454545474588
IDUK-123456789"
| multikv forceheader=1
| fields - _time linecount _raw
| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"
| eval NUMBERS_GREATER_THAN_9=if(len(ID_ONLY_NUMBERS)>9,"YES","NO")

 Hope this helps

 

Reply
Solved! Jump to solution

andres91302
Communicator
‎04-07-2021 06:21 AM

@bowesmana  hey man! I am not going to waste any time taking your answer as the solution because you nailed it! 10/10  I have to praise you!

 

I would be so thankful if you could please tell me how this regular expression works as I cant seem to find documentation about it

| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"

and this one

| multikv forceheader=1

thank you so much my friend 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-07-2021 02:44 PM

The rex command is documented here

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/SearchReference/Rex

as for regular expressions, there are many sites that will help you learn about those

This is a good site for testing regular expressions

https://regex101.com/

You can see how the regex works from that rex command with that site

As for multikv, that's also documented on the Splunk site above. It's quite commonly used in examples here to set up some data.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...