Search code examples
splunksplunk-query

Splunk Query to find greater than

I have a splunk log LOG: "TOTAL NUMBER OF RECORDS IS:0"

I need to Query it in a way that it find a log message if the number of records turn out to be more than 0

I have tried the following

 sourcetype=mylogs | rex "\d+:\d+:\d+\s(?<TOTAL NUMBER OF RECORDS IS:>\d+)$" | where TOTAL NUMBER OF RECORDS IS:>=25

It gives a terminator Error

Solution

  • There are a few things wrong with that query.

    • The regular expression looks for 3 sets of digits separated by colons. That doesn't match your example. Try TOTAL NUMBER OF RECORDS IS:(?<field>\d+). You may even get by with :(?<field>\d+).
    • The field name in your query should not have spaces in it. Try something like TotalNumberOfRecords.
    • Field names can't contain colons. That's probably the source of the error message.

    Try this query: sourcetype=mylogs | rex ":\d+(?<TotalNumberOfRecords>\d+)" | where TotalNumberOfRecords>=25