Splunk Search

How to create an alert based on a field value regex pattern?

Log_wrangler
Builder

Hi

I am looking for the best way to alert when a field value is not within a normal input range?

For example, I have a field called 'Account_ID" and the only normal value should be 1 to 5 digits long, like 99999.

I want to create an alert that triggers if Account_ID = is not a number but contains any characters other than numbers or greater than 5 digits.

For example Account_ID = 87347 (good) Account_ID = 848/'A$ (bad - alert) or Account_ID = 9938848994994 (bad)

Thank you for your help.

Tags (3)
0 Karma
1 Solution

niketn
Legend

@Log_wrangler, try the following eval | eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")

Following is a run anywhere search

| makeresults 
| eval Account_ID="87347,848/'A$,9938848994994" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

acharlieh
Influencer

It sounds like you are looking for the regex command. Using this you will filter out ( != ) events whose account_id field matches your regular expression pattern of what makes a valid account id, and then alert if any events are left.

0 Karma

Log_wrangler
Builder

Thank you (everyone) for the replies.

What I would like to do is run a search (for example daily) that returns a list of all the Account_IDs and checks for bad Account_IDs and returns a list of Bad_IDs.

I was thinking about using a != regex match but will that slow performance?

any suggestions on how to write the eval Account_ID != regex then list new field bad_ID?

Thank you

0 Karma

Log_wrangler
Builder

Thank you again Acharlieh.

I do like your idea about not matching a regex pattern.

I think I will ask this specific question in the future.

0 Karma

niketn
Legend

@Log_wrangler, try the following eval | eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")

Following is a run anywhere search

| makeresults 
| eval Account_ID="87347,848/'A$,9938848994994" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Log_wrangler
Builder

I like your query, however there is a problem, if the Account_ID value <=0 , like 000 I want that to be "bad', however I will accept your answer because it is mostly successful. I am looking for the syntax for the eval statement to look at number value instead of length. Please share if you know it.

Thank you

0 Karma

Log_wrangler
Builder

IF there is a better way please let me know, but here is what I built off your base code

index=A sourcetype=A_logs |  eval Account_ID_format = if((!isnum(Account_ID)) OR (Account_ID=0) OR (isnum(Account_ID) AND (len(Account_ID)>5)),"bad","good") | search Account_ID_format = bad | stats values(Account_ID_format) by Account_ID
0 Karma

niketn
Legend

@Log_wrangler, please try out the following search. I have updated the validation condition, and performing tonumber() conversion as a separate step.

  index=A sourcetype=A_logs 
 | stats count by Account_ID
 | eval Account_ID=tonumber(Account_ID)
 | eval Account_ID_format= if((isnull(Account_ID)) OR ((Account_ID<=0) OR (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")
 | search Account_ID_format = bad

Notice that I have moved stats up and am performing stats on Good Account Ids as well. But filtering only the bad results in the end. Performing streaming command(eval) on the results of a transforming command (stats) should perform better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

hello @Log_wrangler

try out the following search:

| makeresults count=1 
| eval Account_ID = "2345564,12345,9999999999,342A@,12345$%^"
| makemv delim="," Account_ID
| mvexpand Account_ID
| eval char_count = len(Account_ID)
| eval num_or_string = if(isnum(Account_ID),"Number","String")

from there you can set your alert: | where char_count > 5 .... etc
see also screen shot:
alt text

0 Karma

Log_wrangler
Builder

Thank you for your reply, I chose to follow the first response bc it seemed easier, but you have a good idea too, which I will refer to in the future.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...