Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert based on a field value regex pattern?

Log_wrangler
Builder
‎04-14-2018 05:43 AM

Hi

I am looking for the best way to alert when a field value is not within a normal input range?

For example, I have a field called 'Account_ID" and the only normal value should be 1 to 5 digits long, like 99999.

I want to create an alert that triggers if Account_ID = is not a number but contains any characters other than numbers or greater than 5 digits.

For example Account_ID = 87347 (good) Account_ID = 848/'A$ (bad - alert) or Account_ID = 9938848994994 (bad)

Thank you for your help.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-14-2018 06:10 AM

@Log_wrangler, try the following eval | eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")

Following is a run anywhere search

| makeresults 
| eval Account_ID="87347,848/'A$,9938848994994" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-14-2018 06:15 AM

It sounds like you are looking for the regex command. Using this you will filter out ( != ) events whose account_id field matches your regular expression pattern of what makes a valid account id, and then alert if any events are left.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-14-2018 09:06 AM

Thank you (everyone) for the replies.

What I would like to do is run a search (for example daily) that returns a list of all the Account_IDs and checks for bad Account_IDs and returns a list of Bad_IDs.

I was thinking about using a != regex match but will that slow performance?

any suggestions on how to write the eval Account_ID != regex then list new field bad_ID?

Thank you

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-14-2018 06:39 PM

Thank you again Acharlieh.

I do like your idea about not matching a regex pattern.

I think I will ask this specific question in the future.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-14-2018 06:10 AM

@Log_wrangler, try the following eval | eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")

Following is a run anywhere search

| makeresults 
| eval Account_ID="87347,848/'A$,9938848994994" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if((!isnum(Account_ID)) OR (isnum(Account_ID) AND (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-14-2018 06:12 PM

I like your query, however there is a problem, if the Account_ID value <=0 , like 000 I want that to be "bad', however I will accept your answer because it is mostly successful. I am looking for the syntax for the eval statement to look at number value instead of length. Please share if you know it.

Thank you

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-14-2018 06:15 PM

IF there is a better way please let me know, but here is what I built off your base code

index=A sourcetype=A_logs |  eval Account_ID_format = if((!isnum(Account_ID)) OR (Account_ID=0) OR (isnum(Account_ID) AND (len(Account_ID)>5)),"bad","good") | search Account_ID_format = bad | stats values(Account_ID_format) by Account_ID
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-15-2018 01:52 AM

@Log_wrangler, please try out the following search. I have updated the validation condition, and performing tonumber() conversion as a separate step.

  index=A sourcetype=A_logs 
 | stats count by Account_ID
 | eval Account_ID=tonumber(Account_ID)
 | eval Account_ID_format= if((isnull(Account_ID)) OR ((Account_ID<=0) OR (len(Account_ID)<=0 OR len(Account_ID)>5)),"bad","good")
 | search Account_ID_format = bad

Notice that I have moved stats up and am performing stats on Good Account Ids as well. But filtering only the bad results in the end. Performing streaming command(eval) on the results of a transforming command (stats) should perform better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-14-2018 06:08 AM

hello @Log_wrangler

try out the following search:

| makeresults count=1 
| eval Account_ID = "2345564,12345,9999999999,342A@,12345$%^"
| makemv delim="," Account_ID
| mvexpand Account_ID
| eval char_count = len(Account_ID)
| eval num_or_string = if(isnum(Account_ID),"Number","String")

from there you can set your alert: | where char_count > 5 .... etc
see also screen shot:
alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-14-2018 06:36 PM

Thank you for your reply, I chose to follow the first response bc it seemed easier, but you have a good idea too, which I will refer to in the future.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...