Splunk Query to find greater than

Question

I have a splunk log LOG: "TOTAL NUMBER OF RECORDS IS:0"

I need to Query it in a way that it find a log message if the number of records turn out to be more than 0

I have tried the following

 sourcetype=mylogs | rex "\d+:\d+:\d+\s(?<TOTAL NUMBER OF RECORDS IS:>\d+)$" | where TOTAL NUMBER OF RECORDS IS:>=25

It gives a terminator Error

RichG · Accepted Answer · 2019-02-27T20:45:33.907

There are a few things wrong with that query.

The regular expression looks for 3 sets of digits separated by colons. That doesn't match your example. Try TOTAL NUMBER OF RECORDS IS:(?<field>\d+). You may even get by with :(?<field>\d+).
The field name in your query should not have spaces in it. Try something like TotalNumberOfRecords.
Field names can't contain colons. That's probably the source of the error message.

Try this query: sourcetype=mylogs | rex ":\d+(?<TotalNumberOfRecords>\d+)" | where TotalNumberOfRecords>=25

score 0 · Answer 2 · answered Feb 27 '19 at 02:56

Here's an example SPL to suit your requirement:

| makeresults 
| eval _raw="TOTAL NUMBER OF RECORDS IS:10"
| rex field=_raw "TOTAL NUMBER OF RECORDS IS:(?<record_num>.\d+)" 
| where record_num > 0

Line-by-line Explanation:

Line 1-2: Creating a dummy event for this test.
Line 3: Extract the value of number of records from _raw and store it in record_num field.
Line 4: where clause to filter results.

Aishwarya Sharma · Answer 3 · 2022-08-29T12:17:26.937

0

This did not work for me, may be different splunk versions. I wanted to get "An event at a delay of 102" log for values greater than 100.

Below query worked.

index="***" sourcetype="***" "An event" | rex "An event at a delay of (?<delay>[0-9]+)" | where delay > 100

edited Aug 29 '22 at 12:17

answered Aug 29 '22 at 12:17

Aishwarya Sharma

3 Answers3