topic Re: Can I use regex within an IF statement? in Splunk Search

Can I use regex within an IF statement?

albinortiz — Wed, 18 Jul 2018 19:19:45 GMT

This is what I have so far:

| eval output = if (Object = "false", [rex field=_raw"(?s)(?.*)(?), "Empty"

What I am trying to do is to perform a regex on a line if the value of the object is false. The reason I'm doing this is because I have an xml file that, when generated, the output can be 1 of 2 things. depending the Object value is the rex that needs to be used (I will be changing the "Empty" tag for another rex if this is possible).

Re: Can I use regex within an IF statement?

auraria1 — Wed, 18 Jul 2018 19:26:58 GMT

The way I do it is with match.

| eval output = if(match(Object,"regex goes here"),"false", "empty")

Or something along those lines.

Does that make sense or help?

Re: Can I use regex within an IF statement?

somesoni2 — Wed, 18 Jul 2018 19:38:13 GMT

No you can't, but you can do something like this

... | rex field=_raw "your reg ex 1 to extract <field1>" | rex field=_raw "your reg ex 2 to extract <field2>" 
| eval output=if(Object="false", field1, field2)

Re: Can I use regex within an IF statement?

albinortiz — Wed, 18 Jul 2018 21:43:00 GMT

Thanks both yours and the answer above worked. Thanks for all the help.

Re: Can I use regex within an IF statement?

albinortiz — Wed, 18 Jul 2018 21:43:42 GMT

Thanks both yours and the answer below worked. Thanks for all the help. I've tried this one before but never thought I had to call the rex field command again.

Re: Can I use regex within an IF statement?

auraria1 — Thu, 19 Jul 2018 17:46:42 GMT

No problem, glad I could help.

Evals can be a bit tricky, always a fun time working through those switches.