Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Eval condition in props.conf using mvindex?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a field which contains 2 values for every event as shown below:
Field Name :- Username
Example Values :- A,B
Now from the above example I have defined 2 extra fields first_user and second_user
first_user=A (1st field value from Username)
second_user=B (2nd field value from Username)
Both the above 2 fields work well as long as the Username field has two values but when the Username has only 1 value like the first field(A) is there and the second field(B) is null. I want to display the Null or empty for second_user field but instead right now it just picking up the A value for second_user field.
In order to resolve this, I'm trying to work on a Regex on props.conf by using some if condition and a mvindex command to give the logic something like if the B is null. I want to display null.
Any help on providing the format for regex would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can setup a calculated field with this definition:
second_user = coalesce(second_user, "Null")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can setup a calculated field with this definition:
second_user = coalesce(second_user, "Null")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if something like this works for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @somesoni2 regex works good. Now how can I apply that regex on props.conf what is the syntax for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the original field (which has two Username values) is already extract, then follow solution from this :
https://answers.splunk.com/answers/322843/extract-fields-from-an-already-extracted-field.html
If not, then you can setup based on _raw data but would need to adjust the regex then setup like this
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Exampleconfigurationswithprops.conf
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Exampleconfigurationsusingfieldtransfor...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
