Splunk Search

How to write an eval if field value matches a regex good otherwise bad?

Log_wrangler
Builder

Need a little help writing an eval that uses a regex to check if the field value is a number 5 digits long and the 1st digit is not 0.

some pseudo code:

...| eval <field>  = if (regex =match, good, bad)

Thank you

Tags (2)
0 Karma
1 Solution

niketn
Legend

@Log_wrangler, the regular Expression that you need is ^((?!0)(\d{1,5}))$. It will not match if the Account_ID start with 0 or if the length of Account_ID is > 5 or any non-numeric character is present in the Account_ID.

Following is a run anywhere example with some sample data to test:

| makeresults 
| eval Account_ID="87347,123,1,0,848/'A$,993884,000,0123,949A4,48A4" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if(match(Account_ID,"^((?!0)(\d{1,5}))$"),"good","bad")

If you want to understand how this Regular Expression works try out on regex101(link attached): https://regex101.com/r/f0QOAB/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@Log_wrangler, the regular Expression that you need is ^((?!0)(\d{1,5}))$. It will not match if the Account_ID start with 0 or if the length of Account_ID is > 5 or any non-numeric character is present in the Account_ID.

Following is a run anywhere example with some sample data to test:

| makeresults 
| eval Account_ID="87347,123,1,0,848/'A$,993884,000,0123,949A4,48A4" 
| makemv Account_ID delim="," 
| mvexpand Account_ID 
| eval validation_result= if(match(Account_ID,"^((?!0)(\d{1,5}))$"),"good","bad")

If you want to understand how this Regular Expression works try out on regex101(link attached): https://regex101.com/r/f0QOAB/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2
Revered Legend

Try like this

...| eval YourFieldName=if(match(fieldToMatch,"^(\d{5})$") AND NOT match(fieldToMatch,"^0\d{4}"),"good", "bad")
0 Karma

Log_wrangler
Builder

thank you for the reply, I like the way you wrote this in parts, fyi I changed this "^(\d{1,5})$") and this "^0\d{1,4}" but I still need to eval any account_id starting with 0 as bad including if its only one digit.

Thank you

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...