Splunk Search

How to write an eval if field value matches a regex good otherwise bad?

Log_wrangler
Builder

Need a little help writing an eval that uses a regex to check if the field value is a number 5 digits long and the 1st digit is not 0.

some pseudo code:

...| eval <field>  = if (regex =match, good, bad)

Thank you

Tags (2)
0 Karma
1 Solution

niketnilay
Legend

@Log_wrangler, the regular Expression that you need is ^((?!0)(\d{1,5}))$. It will not match if the Account_ID start with 0 or if the length of Account_ID is > 5 or any non-numeric character is present in the Account_ID.

Following is a run anywhere example with some sample data to test:

| makeresults 
| eval Account_ID="87347,123,1,0,848/'A$,993884,000,0123,949A4,48A4" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if(match(Account_ID,"^((?!0)(\d{1,5}))$"),"good","bad")

If you want to understand how this Regular Expression works try out on regex101(link attached): https://regex101.com/r/f0QOAB/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketnilay
Legend

@Log_wrangler, the regular Expression that you need is ^((?!0)(\d{1,5}))$. It will not match if the Account_ID start with 0 or if the length of Account_ID is > 5 or any non-numeric character is present in the Account_ID.

Following is a run anywhere example with some sample data to test:

| makeresults 
| eval Account_ID="87347,123,1,0,848/'A$,993884,000,0123,949A4,48A4" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if(match(Account_ID,"^((?!0)(\d{1,5}))$"),"good","bad")

If you want to understand how this Regular Expression works try out on regex101(link attached): https://regex101.com/r/f0QOAB/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

somesoni2
Revered Legend

Try like this

...| eval YourFieldName=if(match(fieldToMatch,"^(\d{5})$") AND NOT match(fieldToMatch,"^0\d{4}"),"good", "bad")
0 Karma

Log_wrangler
Builder

thank you for the reply, I like the way you wrote this in parts, fyi I changed this "^(\d{1,5})$") and this "^0\d{1,4}" but I still need to eval any account_id starting with 0 as bad including if its only one digit.

Thank you

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!