In one of my indexes I've got a series of pipe separated fields which has one value expressed as so:
In other cases it's merely:
In order to match both occurrences of 88.91, I'm currently doing:
... | rex field=foo ":(?<locx>\d+\.\d+)$" | rex field=_raw "|(?<locx>\d+\.\d+)|" ...
This correctly extracts into "locx" cases where the raw data may appear as:
John|Yellow|31.22:88.91|Thursday|Pass Eve|Red|73.22:88.91|Monday|Pass Mary|Green|88.91|Friday|Fail
But it will not put into locx the following version:
The problem is what comes next - say the final field is "testresult" and I want to match all of the values of
locx where the testresult is pass, but then I want to find the events where the
locx from the test_result=pass is set, but only when
locx is the second element in the colon separated version of the field, or when it's the only value (but never in the case of Mark where it's the FIRST value).
What's the best way to do this?
My thinking was that I'd do a subsearch for the pass conditions, get the value of locx for the Pass conditions, and the go back over the data and search for the fails; but that matches
locx in the case of Mark where 88.91 is the first of the two fields.
I'm doing a horrific job of explaining this, but what I was looking for was the right way to say:
"Match this condition in the data and then look for this field. For each value of that field, go back through the data and find other matches for a different condition."
From my pseudo data above, I'm trying to find people who failed an exam that took course 88.91 on its own, or, after taking some other course first. But I don't want to find people who took course 88.91 and failed an exam if they took another course after 88.91.
I need a drink.
I would use two fields for this, using your provided data I would extract one field as
baseCourse (this would be 88.91 in your example) and
otherCourse for the others. Try something like this:
.... | rex "[\:\|](?P<myCourse>\d+\.\d+)\|" | rex "\|(?P<otherCourse>\d+\.\d+)\:" | ....
this way you can compare the two field without any problem.
hope this helps ...
Great approach MuS, thanks for that suggestion. Do you have any recommendations on what the best comparison option would be, something using eval, perhaps?
I'm trying to ensure that after extracting
myCourse from the rex in a subsearch that when I go back to the main search I'm only matching those cases where
myCourse is not the same as
I think I'm just stuck at how to properly do the comparison check to make certain that the students who have a "failed" status for a given exam only have it if the only or most recent course they took was
myCourse and not if the only or most recent course they took was any
No need for a subsearch here. Setup the regex as automatic field extraction so you have the two fields available in the matching events http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Managesearch-timefieldextractions
Check out this answer to get some ideas about how to compare fields http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...