splunk where condition

rakeshreddy123 · ‎03-17-2016

I have a sample query that i need to apply a where condition to:

index="web" host="blah*" sourcetype="jboss:serverLog" "want 0 out of number from CaCHE "

I need to apply a where condition to see the number greater than 100 in the above query

something like this, from below, i need to apply a where clause to show only those transactions where that number (20,40,60,120) is greater than 100

index="web" host="wjb2*ksc14*" sourcetype="jboss:serverLog" "Fetched 0 Browse Offers out of 20"
index="web" host="wjb2*ksc14*" sourcetype="jboss:serverLog" "Fetched 0 Browse Offers out of 40"
index="web" host="wjb2*ksc14*" sourcetype="jboss:serverLog" "Fetched 0 Browse Offers out of 60"
index="web" host="wjb2*ksc14*" sourcetype="jboss:serverLog" "Fetched 0 Browse Offers out of 120"

somesoni2 · ‎03-17-2016

You would need to extract that number as a field and then apply a filter based on that. Try something like this

index="web" host="wjb2*ksc14*" sourcetype="jboss:serverLog" "Fetched 0 Browse Offers out of" | rex "Fetched 0 Browse Offers out of (?<fetchcount>\d+)" | where fetchcount>100

A better option would be save this field extraction in the props.conf so that you directly filter in the base search.

splunk where condition

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)