https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629672#M218758 <P>Thanks, thats works.</P> Mon, 06 Feb 2023 06:32:48 GMT bitnapper 2023-02-06T06:32:48Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629478#M218672 <P class="lia-align-justify">Hi, I've been told, that using field extractions on json is not best practis and that I should use calculated fields instead. In some cases thats easy and I can use replace or other methods to do that but in some it is more difficult.&nbsp;</P> <P class="lia-align-justify">I have some events giving me information about software versions. When I try to extract the version string from as follows, I get the results for events containing this string. In all other cases I get the complete string instead. What I need is the matching string or nothing. I couldn't figure out how to do that.</P> <PRE>replace(message, "^My Software Version (\S+).*", "\1") </PRE> <P>&nbsp;</P> Fri, 03 Feb 2023 16:04:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629478#M218672 bitnapper 2023-02-03T16:04:16Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629481#M218673 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245847">@bitnapper</a>,</P><P>I'd use the rex command in sed mode to do this (<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Rex" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Rex</A>)</P><P>something like this:</P><LI-CODE lang="markup">| rex field=message mode=sed "s/^My Software Version (\S+).*/NA/g"</LI-CODE><P>I'm not sure about the condition, could you share some sample of both data types with the exact substitution you whould have?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 03 Feb 2023 11:41:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629481#M218673 gcusello 2023-02-03T11:41:55Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629498#M218681 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>,</P><P>thanks for your reply. I tested the regex with the | rex command. It not that I can't extract the data. I just can't extract it with the calculated field extraction. As far as I understand, everything that works with | eval would work in calculated fields. Thats why I do it with replace in cases where I know that I have a match in every event.</P> Fri, 03 Feb 2023 13:21:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629498#M218681 bitnapper 2023-02-03T13:21:35Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629656#M218750 <P>Using replace will replace the string if a match is found. If no match is found, it will not replace aything.</P><P>You can using "if" statement&nbsp;</P><LI-CODE lang="markup">if(match(message, "^My Software Version (\S+).*"), replace(message, "^My Software Version (\S+).*", "\1"), "")</LI-CODE><P>The last "" means that the assigned field will be an empty string, but if you want that field not to exist for that event, then use <STRONG>null()</STRONG> instead</P> Sun, 05 Feb 2023 22:40:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629656#M218750 bowesmana 2023-02-05T22:40:05Z https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629672#M218758 <P>Thanks, thats works.</P> Mon, 06 Feb 2023 06:32:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-regex-in-calculated-fields/m-p/629672#M218758 bitnapper 2023-02-06T06:32:48Z