topic Re: How to use Regex inside a Case statement in Splunk Search

How to use Regex inside a Case statement?

amitrinx — Thu, 16 Mar 2023 19:09:49 GMT

Hi,
How can i write this statement

| eval protocolUsed = case( regex consumerkey="[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}","O1",
regex consumerkey="^[a-z0-9A-Z]{2,}$", "O2"))

Re: How to use Regex inside a Case statement

isoutamo — Thu, 16 Mar 2023 08:35:52 GMT

What issue you are trying to solve?

regex command select rows which are matching it and drop others. So you cannot use it like this.

If you want to pick part of event to a new field then you should use rex command not regex.

r. Ismo

Re: How to use Regex inside a Case statement

amitrinx — Thu, 16 Mar 2023 08:39:20 GMT

I want to match certain keys and group them as O1 and others set of Keys to O2, and then use the fields
If i have to use rex field then in that case I should create two fields?

Have you understood?

Re: How to use Regex inside a Case statement

isoutamo — Thu, 16 Mar 2023 08:43:23 GMT

Yes I think that this is the easiest way to do it. Later you can use e.g. coalesce to select which value you have in current event. Or use case with isnull/isnotnull conditions.

Re: How to use Regex inside a Case statement

ITWhisperer — Thu, 16 Mar 2023 09:13:17 GMT

| eval protocolUsed = case(match(consumerKey,"[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}"),"O1", match(consumerKey,"^[a-z0-9A-Z]{2,}$"), "O2")

Re: How to use Regex inside a Case statement

amitrinx — Thu, 16 Mar 2023 09:32:24 GMT

@ITWhisperer
I am getting Error in 'EvalCommand': The expression is malformed. Expected ).

Re: How to use Regex inside a Case statement

ITWhisperer — Thu, 16 Mar 2023 09:36:24 GMT

Please check that you have copied it correctly because this has been copied directly from a valid search