https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347580#M102947 <P>Is Splunk not extracting them for you automatically? can we have some sample events which contains field1 and field2 ?</P> <P>A simpler option would be to just setup two field extractions, one for field1 and one for field2. For events where field2 is not there, it won't extract anything anyways (null value).</P> <PRE><CODE>[yoursourcetype] EXTRACT-field1= field1=(?&lt;field1&gt;\w+) EXTRACT-field2= field2=(?&lt;field2&gt;\w+) </CODE></PRE> Thu, 27 Apr 2017 14:23:13 GMT somesoni2 2017-04-27T14:23:13Z https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347577#M102944 <P>Hi to all, I should extract some fields by a log file, in the log file in some cases I have a field (i.e. field1, in other cases I have another field (i.e. field2).</P> <P>For example the log file can contain field1=value1 or field2=value2</P> <P>I need to do something like </P> <PRE><CODE>IF log contains filed1 EXTRACT- field1 =.*field1=(?P&lt;field1&gt;\w+).* ELSE EXTRACT- field2 =.*field2=(?P&lt;field2&gt;\w+).* </CODE></PRE> <P>Is it possible?<BR /> Thanks,<BR /> Andrea</P> Wed, 26 Apr 2017 21:03:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347577#M102944 andreac81 2017-04-26T21:03:41Z https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347578#M102945 <P>The values seems to be standard key-value pair with equal sign as delimiter. Is Splunk not extracting them automatically for you (try to run the search in Smart Mode)?</P> <P>Also, an event will contain either of field1 or field2, so do you want to extract them as separate field name (field1 or field2) or just a common name (say fieldname) so that you can correlate them? If you can use a common name, try like this</P> <PRE><CODE>[yoursourcetype] EXTRACT-fieldname = (field1|field2)=(?&lt;fieldname&gt;\w+) </CODE></PRE> Wed, 26 Apr 2017 21:38:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347578#M102945 somesoni2 2017-04-26T21:38:14Z https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347579#M102946 <P>Using <BR /> EXTRACT-fieldname = (field1|field2)=(?<FIELDNAME>\w+)<BR /> I store both field1 or field2 in fieldname, I need to store field1 in fieldname1 and field2 in fieldname2 considering that the log file can contains sometimes field1 other times field2</FIELDNAME></P> <P>Thanks</P> Thu, 27 Apr 2017 14:15:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347579#M102946 andreac81 2017-04-27T14:15:06Z https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347580#M102947 <P>Is Splunk not extracting them for you automatically? can we have some sample events which contains field1 and field2 ?</P> <P>A simpler option would be to just setup two field extractions, one for field1 and one for field2. For events where field2 is not there, it won't extract anything anyways (null value).</P> <PRE><CODE>[yoursourcetype] EXTRACT-field1= field1=(?&lt;field1&gt;\w+) EXTRACT-field2= field2=(?&lt;field2&gt;\w+) </CODE></PRE> Thu, 27 Apr 2017 14:23:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347580#M102947 somesoni2 2017-04-27T14:23:13Z https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347581#M102948 <P>Hi there, perhaps something like this might work for you.</P> <P>In <CODE>props.conf</CODE> add this:</P> <PRE><CODE>[&lt;your_sourcetype&gt;] TRANSFORMS-kv_xtraction = kv_extraction </CODE></PRE> <P>In <CODE>transforms.conf</CODE> add this:</P> <PRE><CODE>[kv_extraction] REGEX = \s([^\s]+)=([^\s]+) FORMAT = $1::$2 </CODE></PRE> <P>Hope it helps.</P> Thu, 27 Apr 2017 15:40:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-insert-IF-in-regular-expression/m-p/347581#M102948 alemarzu 2017-04-27T15:40:13Z