Solved: conditional rex in splunk

abhayneilam · ‎06-14-2018

I have a field called Number and it has got a value like :

| inputlookup Numbers.csv

Number
102
2
45
204
345
100
100
45
21
100
103

If I do | inputlookup Numbers.csv | where Number > 100 then I would get only those number which are greater than 100.

The same thing I wanna achieve using Regular Expression ( REGEX ) to get only those which are greater than 100. It could be 101 , 102, 102...100000000002, 10000000,5000,345,50987,etc.

FrankVl · ‎06-14-2018

Not entirely sure why you would want to do this with a regex, but this should work I think:

| inputlookup Numbers.csv | regex Number="(10[1-9]|1[1-9][0-9]|[2-9][0-9][0-9]|\d{4,})"

This covers all 4 cases: 101-109,110-199,200-999,1000-...

Alternatively, you could do:

| inputlookup Numbers.csv | regex Number="\d{3,}" | regex Number!="100"

To first get any Number of 3 or more digits and then drop the ones equal to 100.

View solution in original post

FrankVl · ‎06-14-2018

Not entirely sure why you would want to do this with a regex, but this should work I think:

| inputlookup Numbers.csv | regex Number="(10[1-9]|1[1-9][0-9]|[2-9][0-9][0-9]|\d{4,})"

This covers all 4 cases: 101-109,110-199,200-999,1000-...

Alternatively, you could do:

| inputlookup Numbers.csv | regex Number="\d{3,}" | regex Number!="100"

To first get any Number of 3 or more digits and then drop the ones equal to 100.

abhayneilam · ‎06-14-2018

Thanks !!!!

conditional rex in splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation