Solved: How to generate a search that will only display re...

drinkingjimmy · ‎03-23-2017

A field is named product. I want to produce a list of products in my source, which are not made up of only english alphanumeric characters (any length).
I.e. Products:
Dog Collar
18 inch Dog Collar
20-inch Dog Collar
Ƨhock collar

would yield only:
20-inch Dog Collar
Ƨhock collar

(Because of the latin character and the hyphen.)

I've seen plenty of uses of sed to remove/replace the non-alphanumerics, but I don't want to remove, just get a list of the outliers.

somesoni2 · ‎03-23-2017

Try like this. First two lines are to generate sample data. You need to replace that with your search.

| gentimes start=-1 | eval Product="Dog Collar#18 inch Dog Collar#20-inch Dog Collar#Ƨhock collar" | table Product | makemv Product delim="#" | mvexpand Product 
| regex Product!="^[A-z\s0-9]+$"

This will keep events which have Product with any non-alphanumeric character.

View solution in original post

somesoni2 · ‎03-23-2017

Try like this. First two lines are to generate sample data. You need to replace that with your search.

| gentimes start=-1 | eval Product="Dog Collar#18 inch Dog Collar#20-inch Dog Collar#Ƨhock collar" | table Product | makemv Product delim="#" | mvexpand Product 
| regex Product!="^[A-z\s0-9]+$"

This will keep events which have Product with any non-alphanumeric character.

How to generate a search that will only display results where a field contains some non-alphanumeric characters?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!