https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181874#M52408 <P>Thanks, just what the doctor ordered! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 19 Dec 2013 00:25:44 GMT ltruesda 2013-12-19T00:25:44Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181867#M52401 <P>Can a field extraction be devised so that it has a default value when the regex is not matched?</P> <P>I have defined an extracted field based on a regex which matches a specific pattern in an event. The resulting field will contain the matched data if it was present and the field will not exist for an event where the pattern was not matched. </P> <P>All that is good.</P> <P>However, for the cases where the pattern did not match, I would rather the field exist and contain a hyphen ("-"). </P> <P>Within the confines of a field extraction, is there a way to do this? I know I could use fillnull to add the hyphens later, but I'd prefer a more elegant solution. </P> <P>In no solution exists, I can live with it, but if I can have this, it would streamline my searching. </P> <P>Thanks!</P> Tue, 17 Dec 2013 20:43:21 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181867#M52401 ltruesda 2013-12-17T20:43:21Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181868#M52402 <P>You can simply use the command fillnull at search time to get what you want. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/fillnull">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/fillnull</A></P> <P>Like so:</P> <P><YOUR_BASE_SEARCH> | fillnull value="-" <YOUR_FIELD></YOUR_FIELD></YOUR_BASE_SEARCH></P> <P>Where <YOUR_FIELD> needs to be the field that you want to add hyphens instead of not having the field.</YOUR_FIELD></P> <P>Hope this helps</P> Tue, 17 Dec 2013 20:58:06 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181868#M52402 aholzer 2013-12-17T20:58:06Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181869#M52403 <P>I converted your comment into an answer - if it's an answer please put it in as one <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 17 Dec 2013 21:08:36 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181869#M52403 Ayn 2013-12-17T21:08:36Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181870#M52404 <P>Fair enough @Ayn <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 17 Dec 2013 21:43:00 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181870#M52404 aholzer 2013-12-17T21:43:00Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181871#M52405 <P>As mentioned in my question I knew about this possibility. But I am hoping to have this populated at extraction time and simplify my searches.</P> Tue, 17 Dec 2013 21:51:38 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181871#M52405 ltruesda 2013-12-17T21:51:38Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181872#M52406 <P>You could use <A href="http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/definecalcfields">calculated fields</A> if you want to avoid using searches to populate the value.</P> <P>In this snippet from props.conf, bytes_out will always be populated to 0 if it was null:</P> <PRE><CODE>[somesourcetype] EVAL-bytes_out = if(isnull(bytes_out),0,bytes_out) </CODE></PRE> <P>The normal <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions">eval functions</A> should work. Note that calculated fields was included starting with Splunk 5.0 so it won't work on 4.X or earlier.</P> Wed, 18 Dec 2013 06:37:20 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181872#M52406 LukeMurphey 2013-12-18T06:37:20Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181873#M52407 <P>Guess I should read peoples questions more carefully <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Take a look at Luke's answer. Looks promising.</P> Wed, 18 Dec 2013 14:09:42 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181873#M52407 aholzer 2013-12-18T14:09:42Z https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181874#M52408 <P>Thanks, just what the doctor ordered! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 19 Dec 2013 00:25:44 GMT https://community.splunk.com/t5/Splunk-Search/Field-extractions-with-default-value/m-p/181874#M52408 ltruesda 2013-12-19T00:25:44Z