Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a condition based on the number of digits of a value?

andres91302
Communicator
‎04-06-2021 07:04 PM

Hello Talented People of the wordl!

I hope you are having a great day, I wish to know if there is a way to have a YES or NOT output of the number of digits in each row is greater than a  certain limit, for example: I want the column MET equal to true if the number of digits in the raws of the field ID is greater than 9 .. kind of like this:

IDMET
123456789NOT
548554569362YES
14521421NOT
1254NOT
4858466358475248YES

 

lets say that my search begings as follows: 

index="medic_dni" ID=* | field ID

#######################################################################
STAGE 2=
I would wonder how would the code would have to look like if the column ID would show some values witha string followed by the (-) sign and then a string of  numbers something like this:  ID-47855478554 OR IDUSA-47854785545 or something like this: IDSPAIN-7854545454

How can I obtain the following table

ID

ID_ONLY_NUMBERSNUMBERS_GREATER_THAN_9
ID-4785547855484147855478554YES
IDUSA-4785478554552197247854785545YES
IDSPAIN-7854545454745887854545454YES


THANK YOU SO  SO MUCH TO ANYONE WHO WOULD LIKE TO HELP I TRULLY FROM THE BOTTOM OF MY HEART THANK YOU 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 09:56 PM

@andres91302 

I'm assuming the ID_ONLY_NUMBERS column in your example is not what you would expect with the data in your ID column as the numbers are not the same, however, you can paste this example to a search window which simulates your data.

The last two lines of the search will give you what you need.

| makeresults
| eval _raw="ID
ID-47855478554841
IDUSA-47854785545521972
IDSPAIN-785454545474588
IDUK-123456789"
| multikv forceheader=1
| fields - _time linecount _raw
| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"
| eval NUMBERS_GREATER_THAN_9=if(len(ID_ONLY_NUMBERS)>9,"YES","NO")

 Hope this helps

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 09:56 PM

@andres91302 

I'm assuming the ID_ONLY_NUMBERS column in your example is not what you would expect with the data in your ID column as the numbers are not the same, however, you can paste this example to a search window which simulates your data.

The last two lines of the search will give you what you need.

| makeresults
| eval _raw="ID
ID-47855478554841
IDUSA-47854785545521972
IDSPAIN-785454545474588
IDUK-123456789"
| multikv forceheader=1
| fields - _time linecount _raw
| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"
| eval NUMBERS_GREATER_THAN_9=if(len(ID_ONLY_NUMBERS)>9,"YES","NO")

 Hope this helps

 

Reply
Solved! Jump to solution

andres91302
Communicator
‎04-07-2021 06:21 AM

@bowesmana  hey man! I am not going to waste any time taking your answer as the solution because you nailed it! 10/10  I have to praise you!

 

I would be so thankful if you could please tell me how this regular expression works as I cant seem to find documentation about it

| rex field=ID "[^-]*-(?<ID_ONLY_NUMBERS>\d+)"

and this one

| multikv forceheader=1

thank you so much my friend 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎04-07-2021 02:44 PM

The rex command is documented here

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/SearchReference/Rex

as for regular expressions, there are many sites that will help you learn about those

This is a good site for testing regular expressions

https://regex101.com/

You can see how the regex works from that rex command with that site

As for multikv, that's also documented on the Splunk site above. It's quite commonly used in examples here to set up some data.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...