https://community.splunk.com/t5/Splunk-Search/Extract-the-same-field-two-different-ways/m-p/33720#M178304 <P>I want to end up with a filed called mapi_err that contains a MAPI error string. I am looking at the third line in a multi-line event which may look like:</P> <P>Unpopulated address list - can't resolve names: MAPI_E_NOT_FOUND</P> <P>or it may look like</P> <P>Unable to create MAPI message in Outbox, HR=80040115</P> <P>In the first case, the error string is in the event, MAPI_E_NOT_FOUND, so I can just extract any ": MAPI_*". In the second case, I need to extract the hex error code, 80040115, after "HR=" and then do a lookup in a CSV to get the MAPI error string. I can't figure out a way to accommodate both event formats in a search string. I've gotten the full line into mapi_err_full and then tried:</P> <PRE><CODE>rex field=mapi_err_full ": (?&amp;lt;mapi_err&gt;MAPI_.*)" | rex field=mapi_err_full "HR=(?&amp;lt;mapi_err_hex&gt;[0-9]+)" | lookup MAPIErrorCodes "Hex" as mapi_err_hex OUTPUT "Code" as mapi_err </CODE></PRE> <P>I really only want to do the lookup if mapi_err_hex is defined. Otherwise, when the lookup fails for events without a mapi_err_hex, it destroys the good value already in mapi_err. Do I have to resort to two separate extractions in props.conf?</P> Mon, 28 Sep 2020 12:15:28 GMT tstanley 2020-09-28T12:15:28Z https://community.splunk.com/t5/Splunk-Search/Extract-the-same-field-two-different-ways/m-p/33720#M178304 <P>I want to end up with a filed called mapi_err that contains a MAPI error string. I am looking at the third line in a multi-line event which may look like:</P> <P>Unpopulated address list - can't resolve names: MAPI_E_NOT_FOUND</P> <P>or it may look like</P> <P>Unable to create MAPI message in Outbox, HR=80040115</P> <P>In the first case, the error string is in the event, MAPI_E_NOT_FOUND, so I can just extract any ": MAPI_*". In the second case, I need to extract the hex error code, 80040115, after "HR=" and then do a lookup in a CSV to get the MAPI error string. I can't figure out a way to accommodate both event formats in a search string. I've gotten the full line into mapi_err_full and then tried:</P> <PRE><CODE>rex field=mapi_err_full ": (?&amp;lt;mapi_err&gt;MAPI_.*)" | rex field=mapi_err_full "HR=(?&amp;lt;mapi_err_hex&gt;[0-9]+)" | lookup MAPIErrorCodes "Hex" as mapi_err_hex OUTPUT "Code" as mapi_err </CODE></PRE> <P>I really only want to do the lookup if mapi_err_hex is defined. Otherwise, when the lookup fails for events without a mapi_err_hex, it destroys the good value already in mapi_err. Do I have to resort to two separate extractions in props.conf?</P> Mon, 28 Sep 2020 12:15:28 GMT https://community.splunk.com/t5/Splunk-Search/Extract-the-same-field-two-different-ways/m-p/33720#M178304 tstanley 2020-09-28T12:15:28Z https://community.splunk.com/t5/Splunk-Search/Extract-the-same-field-two-different-ways/m-p/33721#M178305 <P>See if this works for you , extract the first case to "mapi_err_1" and the hex code lookup to "mapi_err_2" , then coalesce the results into the field "mapi_err"</P> <PRE><CODE>... | eval mapi_err=coalesce(mapi_err_1, mapi_err_2) </CODE></PRE> Mon, 28 Sep 2020 12:15:30 GMT https://community.splunk.com/t5/Splunk-Search/Extract-the-same-field-two-different-ways/m-p/33721#M178305 Damien_Dallimor 2020-09-28T12:15:30Z https://community.splunk.com/t5/Splunk-Search/Extract-the-same-field-two-different-ways/m-p/33722#M178306 <P>Ahh, yes, exactly what I was looking for. I was thinking about an if() statement or field aliasing, some way to choose between two values or to combine them. I didn't know about coalesce. Works great, thanks!</P> Tue, 14 Aug 2012 15:27:59 GMT https://community.splunk.com/t5/Splunk-Search/Extract-the-same-field-two-different-ways/m-p/33722#M178306 tstanley 2012-08-14T15:27:59Z