Splunk Search

How to write an eval if field value matches a regex good otherwise bad?

Log_wrangler
Builder

Need a little help writing an eval that uses a regex to check if the field value is a number 5 digits long and the 1st digit is not 0.

some pseudo code:

...| eval <field>  = if (regex =match, good, bad)

Thank you

Tags (2)
0 Karma
1 Solution

niketn
Legend

@Log_wrangler, the regular Expression that you need is ^((?!0)(\d{1,5}))$. It will not match if the Account_ID start with 0 or if the length of Account_ID is > 5 or any non-numeric character is present in the Account_ID.

Following is a run anywhere example with some sample data to test:

| makeresults 
| eval Account_ID="87347,123,1,0,848/'A$,993884,000,0123,949A4,48A4" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if(match(Account_ID,"^((?!0)(\d{1,5}))$"),"good","bad")

If you want to understand how this Regular Expression works try out on regex101(link attached): https://regex101.com/r/f0QOAB/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@Log_wrangler, the regular Expression that you need is ^((?!0)(\d{1,5}))$. It will not match if the Account_ID start with 0 or if the length of Account_ID is > 5 or any non-numeric character is present in the Account_ID.

Following is a run anywhere example with some sample data to test:

| makeresults 
| eval Account_ID="87347,123,1,0,848/'A$,993884,000,0123,949A4,48A4" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if(match(Account_ID,"^((?!0)(\d{1,5}))$"),"good","bad")

If you want to understand how this Regular Expression works try out on regex101(link attached): https://regex101.com/r/f0QOAB/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2
Revered Legend

Try like this

...| eval YourFieldName=if(match(fieldToMatch,"^(\d{5})$") AND NOT match(fieldToMatch,"^0\d{4}"),"good", "bad")
0 Karma

Log_wrangler
Builder

thank you for the reply, I like the way you wrote this in parts, fyi I changed this "^(\d{1,5})$") and this "^0\d{1,4}" but I still need to eval any account_id starting with 0 as bad including if its only one digit.

Thank you

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...