Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to list of search results with a value > X in a specific search field

alysea
New Member
‎08-09-2019 05:22 AM

Hello,

I have the following field:= message.msg:

msg: before send to xxx, payload = {"id":"abc123","userId":1,"currency":1,"amount":"-54"}

I would like to find all search results where amount is <= -50.
How is it possible to do so?

Please let me know if any further information is required.

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2019 01:24 PM

Like this:

| makeresults | eval "message.msg" = "msg: before send to xxx, payload = {\"id\":\"abc123\",\"userId\":1,\"currency\":1,\"amount\":\"-54\"}"

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| rename message.msg AS _raw
| rex mode=sed "s/^[^\{]+//"
| spath
| where amount<=-50

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2019 01:24 PM

Like this:

| makeresults | eval "message.msg" = "msg: before send to xxx, payload = {\"id\":\"abc123\",\"userId\":1,\"currency\":1,\"amount\":\"-54\"}"

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| rename message.msg AS _raw
| rex mode=sed "s/^[^\{]+//"
| spath
| where amount<=-50
0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-11-2019 09:06 AM

hi @alysea
This json field will perhaps have the amount in the payload field. Please check your interesting fields , I think your json values are mapped to the field called 'payload' and not message. The regex by @richgalloway is correct.
Try this if the json values are coming in a field called 'payload'

|  rex field=payload "amount\"+\:+\"(?<amount>.*?)\"" 
|  where amount < -50
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2019 07:33 AM

Here's one way.

... | rex field=message "amount":"(?<amount>-?\d+)" | where amount < -50
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

alysea
New Member
‎08-12-2019 12:33 AM

Thank you for the help!

0 Karma
Reply
Solved! Jump to solution

alysea
New Member
‎08-09-2019 08:36 AM

Thank you, I will try and let you know if it works out 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...