Splunk Query to find greater than

Question

I have a splunk log LOG: "TOTAL NUMBER OF RECORDS IS:0"

I need to Query it in a way that it find a log message if the number of records turn out to be more than 0

I have tried the following

 sourcetype=mylogs | rex "\d+:\d+:\d+\s(?<TOTAL NUMBER OF RECORDS IS:>\d+)$" | where TOTAL NUMBER OF RECORDS IS:>=25

It gives a terminator Error

Answer 1

This did not work for me, may be different splunk versions. I wanted to get "An event at a delay of 102" log for values greater than 100.

Below query worked.

index="***" sourcetype="***" "An event" | rex "An event at a delay of (?<delay>[0-9]+)" | where delay > 100

Answer 2

There are a few things wrong with that query.

• The regular expression looks for 3 sets of digits separated by colons. That doesn't match your example. Try TOTAL NUMBER OF RECORDS IS:(?<field>\d+). You may even get by with :(?<field>\d+).
• The field name in your query should not have spaces in it. Try something like TotalNumberOfRecords.
• Field names can't contain colons. That's probably the source of the error message.

Try this query: sourcetype=mylogs | rex ":\d+(?<TotalNumberOfRecords>\d+)" | where TotalNumberOfRecords>=25

Answer 3

Here's an example SPL to suit your requirement:

| makeresults 
| eval _raw="TOTAL NUMBER OF RECORDS IS:10"
| rex field=_raw "TOTAL NUMBER OF RECORDS IS:(?<record_num>.\d+)" 
| where record_num > 0

Line-by-line Explanation:

1. Line 1-2: Creating a dummy event for this test.
2. Line 3: Extract the value of number of records from _raw and store it in record_num field.
3. Line 4: where clause to filter results.