topic Re: Does the rex command filter events if the regular expression fails to match in Splunk Search

Does the rex command filter events if the regular expression fails to match?

entpnerd — Wed, 14 Jun 2023 22:34:12 GMT

I'm trying to use a regular expression in a summary query. I want to get all events so that nothing is omitted and I can gather count statistics on all events, even if a regular expression fails to match in the rex command.

Re: Does the rex command filter events if the regular expression fails to match

sduff_splunk — Wed, 23 Oct 2019 03:08:50 GMT

The rex command will not filter or remove any events, even if the rex doesn't match. The regex command is used to filter and remove events based on a regular expression.

If the rex fails to match a field, that field won't be present in that event.

index=foo | rex field=_raw "Hello (?<match>.*)"

For this data, you'll get the following

_raw	match
Hello world!	world!
Goodbye for now

You can then use the fillnull command to put a default value in fields where the value is NULL.

index=foo | rex field=_raw "Hello (?<match>.*)" | fillnull value="EMPTY" match

Which will give you the following results

_raw	match
Hello world!	world!
Goodbye for now	EMPTY

Re: Does the rex command filter events if the regular expression fails to match

otheus — Wed, 14 Jun 2023 12:49:36 GMT

You know, it would be great if the reference page in the online manual for "rex" indicated your answer.