https://community.splunk.com/t5/Splunk-Search/Regex-for-fields-that-may-or-not-be-filled/m-p/99883#M25794 <P>You may want to try using an eval statement such as;</P> <PRE><CODE>|eval sourcecomputer=if(sourcecomputer=="", "missing", sourcecomputer) </CODE></PRE> <P>This will rewrite your field that has an empty value (not exactly NULL) and replace it with missing and otherwise replace it with whatever is already in the sourcecomputer field.</P> <P>That will work for one value at a time, otherwise, you may want to use the sed mode to replace empty values in your raw string.</P> <PRE><CODE>|rex field=_raw mode=sed "s/:\s,/:\smissing,/g" </CODE></PRE> Tue, 23 Oct 2012 23:33:06 GMT Rob 2012-10-23T23:33:06Z https://community.splunk.com/t5/Splunk-Search/Regex-for-fields-that-may-or-not-be-filled/m-p/99882#M25793 <P>Hey Guys, tricky one I came across.<BR /> I have to find and match on fields that may not be present.<BR /> So far I have this to find the fields when they exist:</P> <P>"Source computer: (?P<SOURCECOMPUTER>[^,]+) ,Source IP: (?P<SOURCEIP>[^,]+)"</SOURCEIP></SOURCECOMPUTER></P> <P>But it fails when the field is not filled and just looks like this:<BR /> "Source computer: " or "Source IP: ".<BR /> In fact the whole thing can look like this:<BR /> "Source computer: ,Source IP: ,<NEXT field="" etc="">"</NEXT></P> <P>How can I overcome this and maybe insert a "null" or "missing" string if the field is empty?<BR /> Ive tried with no success:<BR /> | fillnull value="missing" sourcecomputer<BR /> | fillnull value=NULL sourcecomputer</P> <P>Anyone? Thanks in advance.</P> Tue, 23 Oct 2012 22:47:09 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-fields-that-may-or-not-be-filled/m-p/99882#M25793 mrgibbon 2012-10-23T22:47:09Z https://community.splunk.com/t5/Splunk-Search/Regex-for-fields-that-may-or-not-be-filled/m-p/99883#M25794 <P>You may want to try using an eval statement such as;</P> <PRE><CODE>|eval sourcecomputer=if(sourcecomputer=="", "missing", sourcecomputer) </CODE></PRE> <P>This will rewrite your field that has an empty value (not exactly NULL) and replace it with missing and otherwise replace it with whatever is already in the sourcecomputer field.</P> <P>That will work for one value at a time, otherwise, you may want to use the sed mode to replace empty values in your raw string.</P> <PRE><CODE>|rex field=_raw mode=sed "s/:\s,/:\smissing,/g" </CODE></PRE> Tue, 23 Oct 2012 23:33:06 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-fields-that-may-or-not-be-filled/m-p/99883#M25794 Rob 2012-10-23T23:33:06Z https://community.splunk.com/t5/Splunk-Search/Regex-for-fields-that-may-or-not-be-filled/m-p/99884#M25795 <P>Answered my own question, using * and not + at the end of the search.</P> Wed, 24 Oct 2012 00:42:23 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-fields-that-may-or-not-be-filled/m-p/99884#M25795 mrgibbon 2012-10-24T00:42:23Z