topic Re: Conditional Rex Expression in Splunk Search

Conditional Rex Expression

IRHM73 — Wed, 15 Jul 2015 11:18:19 GMT

Hi, I wonder whether someone could help me please.

I'm using the following rex expression to extract the Employers Name : rex "Employers Name=(?<contactname>[^,]*)".

I then have the following rex expression to extract the Providers Name: rex "Providers Name=(?<contactname>[^,]*)".

I'm not even sure whether this is possible, but could someone tell me please is there a way by which I can join these, so if the 'Employers Name' is shown in the event data then that is the data used for the 'contactname' value, but if the 'Providers Name' is present, then use this value for the 'contactname' field.

Many thanks and kind regards

Chris

Re: Conditional Rex Expression

lcrielaa — Wed, 15 Jul 2015 12:17:08 GMT

There's the eval command called "coalesce" which merges two fields together into a new field. Imagine the following; I have 2 fields that contains values, these fields are called "clientip" and "ipaddress", but sometimes "clientip" is empty and then I want to use the value from "ipaddress" instead. What I do is I coalesce these two fields together into a new field called "IpAddr".

| eval IpAddr=coalesce(clientip, ipaddress)

The field "IpAddr" will be filled with the value from "clientip", unless "clientip" is empty, then it'll pick the value from "ipaddress". You can add as many fields to coalesce as you want.

Re: Conditional Rex Expression

IRHM73 — Wed, 15 Jul 2015 12:42:53 GMT

Hi @Icrielaa, thank you for taking the time to read my post and come back to me with this.

With your kind suggestion, I've put together the following:

eval contact=coalesce(Employers_Name, Provider_Name)

The problem I have is that where a 'Provider Name' is found, it using the value 'Provide Name' rather than the field value.

Many thanks and kind regards

Chris

Re: Conditional Rex Expression

lcrielaa — Wed, 15 Jul 2015 13:03:21 GMT

do you have some sample logging that you could post here (just a few lines)?

Re: Conditional Rex Expression

IRHM73 — Wed, 15 Jul 2015 13:34:03 GMT

Hi, thank you for coming back to me with this.

Because of it's convidential nature I can only provide some examples as below. I hope this is ok?

I had a thought though, I'm just wondering whether the problem could be because of two issues:

Either the field 'Employer Name' or 'Provider Name' are present, but the field is blank,
Neither the fields 'Employer Name' or 'Provider Name' are present.

Employers Name=The Employer, Employers Address=Address Line 1=The Road, Address Line 2=The Town, Address Line 3=, Address Line 4=, Employers PostCode=AB1 2CD"

Providers Name=The Employer, Employers Address=Address Line 1=The Road, Address Line 2=The Town, Address Line 3=, Address Line 4=, Employers PostCode=AB1 2CD"

Many thanks and kind regards

Chris

Re: Conditional Rex Expression

lcrielaa — Wed, 15 Jul 2015 15:33:35 GMT

| rex "Employers Name=(?<employersname>[^,]*)" | rex "Providers Name=(?<providername>[^,]*)" | eval contactname=coalesce(employersname,providername) | table contactname

This should extract both the Employer's Name (if it exists) and the Provider's Name (if it exists) and fill the field "contactname" with the employers name, unless that's empty, then it'll put the providername in there.

I see from your logging that it's all key/value pairs, did you try using the | extract pairdelim=",", kvdelim="=" keyword to automatically extract these fields? Splunk will extract the Employer's Name and Provider's Name if they exist and that should solve all your problems.

Re: Conditional Rex Expression

IRHM73 — Mon, 20 Jul 2015 07:41:20 GMT

Thank you @Icrielaa, your code worked great.

Many thanks and kind regards

Chris