Combine/ Compare two REX fields

kamaleshwar · ‎12-30-2015

Hello,

I'm having the two REX fields and want to search the logs with those fields. Which one matches that field needs to be given as output. Below are the REX

rex "^(?:[^:\n]:){5}\s+(?P<email_2dot>\w+.\w+.\w+@\w+.\w+)"
rex "^(?:[^:\n]:){5}\s+(?P<email_dot>\w+.\w+@\w+.\w+)"

and i want to display with the same name EMAIL since need of only one field in the result. as i can get the result in the two fields email_2dot and email_dot but it should be as single field. Please help on this. If you have any concern please comment.

jkat54 · ‎01-01-2016

Just name the field the same in both rex commands:

  rex "^(?:[^:n]:){5}s+(?P<email>w+.w+.w+@w+.w+)" | rex "^(?:[^:n]:){5}s+(?P<email>w+.w+@w+.w+)"

Or use rename:

  rex "^(?:[^:n]:){5}s+(?P<email>w+.w+.w+@w+.w+)" | rex "^(?:[^:n]:){5}s+(?P<email2>w+.w+@w+.w+)" | rename email2 AS email

kamaleshwar · ‎11-19-2019

If we rename it as email, would it not over write the previous value?

Combine/ Compare two REX fields

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

Combine/ Compare two REX fields

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination