- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Conditional Rex Expression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone could help me please.
I'm using the following rex expression to extract the Employers Name : rex "Employers Name=(?<contactname>[^,]*)".
I then have the following rex expression to extract the Providers Name: rex "Providers Name=(?<contactname>[^,]*)".
I'm not even sure whether this is possible, but could someone tell me please is there a way by which I can join these, so if the 'Employers Name' is shown in the event data then that is the data used for the 'contactname' value, but if the 'Providers Name' is present, then use this value for the 'contactname' field.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's the eval command called "coalesce" which merges two fields together into a new field. Imagine the following; I have 2 fields that contains values, these fields are called "clientip" and "ipaddress", but sometimes "clientip" is empty and then I want to use the value from "ipaddress" instead. What I do is I coalesce these two fields together into a new field called "IpAddr".
| eval IpAddr=coalesce(clientip, ipaddress)
The field "IpAddr" will be filled with the value from "clientip", unless "clientip" is empty, then it'll pick the value from "ipaddress". You can add as many fields to coalesce as you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's the eval command called "coalesce" which merges two fields together into a new field. Imagine the following; I have 2 fields that contains values, these fields are called "clientip" and "ipaddress", but sometimes "clientip" is empty and then I want to use the value from "ipaddress" instead. What I do is I coalesce these two fields together into a new field called "IpAddr".
| eval IpAddr=coalesce(clientip, ipaddress)
The field "IpAddr" will be filled with the value from "clientip", unless "clientip" is empty, then it'll pick the value from "ipaddress". You can add as many fields to coalesce as you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for coming back to me with this.
Because of it's convidential nature I can only provide some examples as below. I hope this is ok?
I had a thought though, I'm just wondering whether the problem could be because of two issues:
- Either the field 'Employer Name' or 'Provider Name' are present, but the field is blank,
Neither the fields 'Employer Name' or 'Provider Name' are present.
Employers Name=The Employer, Employers Address=Address Line 1=The Road, Address Line 2=The Town, Address Line 3=, Address Line 4=, Employers PostCode=AB1 2CD"
Providers Name=The Employer, Employers Address=Address Line 1=The Road, Address Line 2=The Town, Address Line 3=, Address Line 4=, Employers PostCode=AB1 2CD"
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex "Employers Name=(?<employersname>[^,]*)" | rex "Providers Name=(?<providername>[^,]*)" | eval contactname=coalesce(employersname,providername) | table contactname
This should extract both the Employer's Name (if it exists) and the Provider's Name (if it exists) and fill the field "contactname" with the employers name, unless that's empty, then it'll put the providername in there.
I see from your logging that it's all key/value pairs, did you try using the | extract pairdelim=",", kvdelim="=" keyword to automatically extract these fields? Splunk will extract the Employer's Name and Provider's Name if they exist and that should solve all your problems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @Icrielaa, your code worked great.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Icrielaa, thank you for taking the time to read my post and come back to me with this.
With your kind suggestion, I've put together the following:
eval contact=coalesce(Employers_Name, Provider_Name)
The problem I have is that where a 'Provider Name' is found, it using the value 'Provide Name' rather than the field value.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you have some sample logging that you could post here (just a few lines)?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
