Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search for the biggest number in a field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got a long csv and extracted the fields. Now in one field, there's more than one information.
Depending on how many recipients a message is for, the more recipients are logged. Format like:
...|{}|{"...","..","recipient0":"01234567","recipient1":"09877543","recipient2":"151617189",....,"recipient8":"41790042325","IP":1.1.1.1","..."}|{}|...|
...|{}|{"...","..","recipient0":"05974567","recipient1":"09877543","recipient2":"151617199","IP":1.1.1.1","..."}|{}|...|
So "recipient0" is always, there are at max 10 recipients (0-9). I'd like to have a timechart on how many recipients a message got, so I'm searching for a command to find the "highest" recipient.
I hope my question is understandable and you can help me, many thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can try it with something like this:
... | rex max_match=0 "recipient(?<counter>\d)" | eval max_result = max('counter') + 1
The rex command extracts the number of the recipient fields in a multi value field. Then you use max to get the maximum. Because the fields are numbered from 0 to 9, you might want to add a "+ 1" to the eval command for the correct count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can try it with something like this:
... | rex max_match=0 "recipient(?<counter>\d)" | eval max_result = max('counter') + 1
The rex command extracts the number of the recipient fields in a multi value field. Then you use max to get the maximum. Because the fields are numbered from 0 to 9, you might want to add a "+ 1" to the eval command for the correct count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, it helped me.
I don't manage how I can search only in one field. The recipient0 etc. occurs also in other fields in the log, so I'd have to adapt the regex or try it with a subsearch.
And would it be good to change the regex so it does only match 1 diggit after "recipient" ? Or does it only "operate" with numbers, since we calculate with it afterwards?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, so you can use a rex command to first to make a field that contains only the recipient of interest. For example a regex that extracts
{"...","..","recipient0":"01234567","recipient1":"09877543","recipient2":"151617189",....,"recipient8":"41790042325","IP":1.1.1.1","..."}
out of
...|{ other log data with recipients in it}|{"...","..","recipient0":"01234567","recipient1":"09877543","recipient2":"151617189",....,"recipient8":"41790042325","IP":1.1.1.1","..."}|{ more log data with recipients in it}|...|
and then use the rex from my first anwer only on this field.
"would it be good to change the regex so it does only match 1 diggit after "recipient" -> It already does only match one digit after recipients, since i only used \d and not \d+ or \d*, where \d stands for a single digit.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
