Splunk searching event logs to find values exceeding a given threshold

Question

I want to search the log event

"Closure request counts: startAssets: "

and find occurrences where the startAssets are larger than 50.

How would I do that?

Something like:

Closure request counts: startAssets: 51

would maybe give a search similar to

"Closure request counts: startAssets: {num} AND num >=50"

perhaps?

What does that look like in SPL?

score 4 · Accepted Answer · edited Dec 16 '20 at 14:47

4

That's pretty simple, but you'll need to extract the number to do it. I like to use the rex command to do that, but there may be other ways.

index=foo "Closure request counts: startAssets: *"
| rex "startAssets: (?<startAssets>\d+)"
| where startAssets > 50

edited Dec 16 '20 at 14:47

warren

answered Dec 15 '20 at 23:52

RichG

1 Answers1