Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine/ Compare two REX fields

kamaleshwar
Explorer
‎12-30-2015 11:44 PM

Hello,

I'm having the two REX fields and want to search the logs with those fields. Which one matches that field needs to be given as output. Below are the REX

rex "^(?:[^:\n]:){5}\s+(?P<email_2dot>\w+.\w+.\w+@\w+.\w+)"
rex "^(?:[^:\n]:){5}\s+(?P<email_dot>\w+.\w+@\w+.\w+)"

and i want to display with the same name EMAIL since need of only one field in the result. as i can get the result in the two fields email_2dot and email_dot but it should be as single field. Please help on this. If you have any concern please comment.

Reply

jkat54
SplunkTrust
SplunkTrust
‎01-01-2016 04:15 AM

Just name the field the same in both rex commands:

  rex "^(?:[^:n]:){5}s+(?P<email>w+.w+.w+@w+.w+)" | rex "^(?:[^:n]:){5}s+(?P<email>w+.w+@w+.w+)"

Or use rename:

  rex "^(?:[^:n]:){5}s+(?P<email>w+.w+.w+@w+.w+)" | rex "^(?:[^:n]:){5}s+(?P<email2>w+.w+@w+.w+)" | rename email2 AS email
Reply

kamaleshwar
Explorer
‎11-19-2019 08:24 AM

If we rename it as email, would it not over write the previous value?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...