Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make comparison of a field with a digit with a field where there are alphabetic characters?

metylkinandrey
Communicator
‎10-04-2022 11:07 PM

Prompt as I can make arithmetic comparison of two fields. Comparison: more, less.
The first field consists of numbers: field="1", field="2"
The second of numbers and letters: field="1.route", field="2.route"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-04-2022 11:51 PM

Hi @metylkinandrey,

if the structure of the second field is fixed, you can use a regex to extract a part of the second field to compare with the first field, something like this:

<your_search>
| rex field=field2 "^(?<field2_num>\d+)\."
| search field1=field2_num

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-04-2022 11:51 PM

Hi @metylkinandrey,

if the structure of the second field is fixed, you can use a regex to extract a part of the second field to compare with the first field, something like this:

<your_search>
| rex field=field2 "^(?<field2_num>\d+)\."
| search field1=field2_num

Ciao.

Giuseppe

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎10-05-2022 06:58 AM

Giuseppe, Hello!
I do not quite understand how it works, it gives an error:
error in 'rex' command: The regex '(routepointID)=routepointID2' does not extract anything. It should specify at least one named group. Format: (?<name>...).

What am I doing:
| rex routepointID=routepointID2 "^(?<routepointID2_num>\d+)\."

What I need:
Where: "routepointID": "1.SAPS-SIS.TO.LSP.SEND" or "routepointID": "2.SAPS-SIS.TO.LSP.RECEIVE"

I want to receive: "routepointID2_num": "1" or "routepointID2_num": "1"

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-05-2022 08:13 AM

Hi @metylkinandrey,

read again the rex command syntax at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Rex :

| rex field=routepointID "^(?<routepointID_num>\d+)\."

Could youshare a sample of your logs?

I have to understand if you have both the values in the same event or in two different events for the comparison.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎10-06-2022 02:55 AM

Giuseppe, within one message, the field can take only one value, either: 1.SAPS-SIS.TO.LSP.SEND, or: "2.SAPS-SIS.TO.LSP.RECEIVE".
I still don't understand what I need
AT:
| rex field=routepointID "^(?<routepointID_num>\d+)\."
What does refer to: field?
Am I doing the right thing if I want to get a new field "routepointIDnum": "1" or "routepointIDnum": "2"
So?
| rex routepointIDnum=routepointID "^(?<routepointID_num>\d+)\."

<routepointID_num> - what should I substitute instead?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-06-2022 03:20 AM

Hi @metylkinandrey,

as you can read in the above link (https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Rex ), in the rex command you can specify a field for regex application,

in other words, if you don't specify any field, the regex is applied to the entire event (_raw),

if instead you specify a field, the regex is appliad, as in your case, only to the specified field.

The meaning of the command I sent you is:

take in the field "routepointID" the number that is at the beginning of the field and put it in a field called "routepointID_num"

In this way, in the routepointID_num field you have the numbers to match.

For this reason you cannot put the condition in the rex command, but you have to put it in the following command.

The questions now are:

  • are the two values of routepointID field for field extraction and comparison in the same event or in two different events?
  • and, if they are in two events, how can I correlate them? there's a common value in a field (a correlation key)?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎10-06-2022 04:08 AM

Giuseppe, thank you!

Figured it out, it worked:

index="main" sourcetype="testsystem-script333"

| rex field=routepointID "^(?<routepointID_num>\d+)\."

| table routepointID_num

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-06-2022 05:12 AM

Hi @metylkinandrey,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...