Execute regex statements only when a condition is ...

Splunk_User88 · ‎01-02-2023

I have a use case where i would need to use regex to extract values only if a condition is met.

index=sample 
[search index=sample key=my_key
|table msg host] 
| rex max_match=0 field=_raw "a\d=\"(?<test>.*?)\""
| eval a = if(len(a)>255 OR isnull(a),"*Regex and if statements need to be here*",a)
| stats values(test) as test by msg host

The aim is to use regex inside the if statement .

The logic is if len(a) or a is null then use regex and populate the value test.

I am looking for the same functionality as match() but instead of bool value I need the matched results.

Is there any way to get this functionality?

bowesmana · ‎01-02-2023

@Splunk_User88

You can't do exactly what you are trying to do, but there is generally a way to achieve what you want.

Can you be a bit more specific on your outputs from that eval a= statement, as it's not clear what you are trying to do with 'a', as it's not used after that in the stats command

You can always do a rex statement to extract a new field based on the regex you are trying to get a match for. If there is a match, you will get a field with the result, otherwise null. Then you can make the "a=" assignment use that extracted field based on the len/null conditions you have, e.g. something like

index=sample 
[search index=sample key=my_key
|table msg host] 
| rex max_match=0 field=_raw "a\d=\"(?<test>.*?)\""
``` Always do this rex to get the new_field based on your regex ```
| rex field=a "(?<new_field>your_regex)"
``` And only assign to 'a' if the conditions are met ```
| eval a = if(len(a)>255 OR isnull(a),new_field, null())
| stats values(test) as test by msg host

Splunk_User88 · ‎01-03-2023

I am essentially trying to mimic an if block that we use in python or any other language

So if statement is true then execute some statements or don't execute them at all

ITWhisperer · ‎01-04-2023

Splunk SPL is not a procedural language - you are essentially processing a pipeline of events and each command receives all the events currently in the pipeline and passes them on, processing them as it goes. The processing may add information, remove information, or combine multiple events into fewer events, or split events into more events. Try not to get hung up on procedural language constructs, take it back to what the end result should be and work with language to achieve the result.

ITWhisperer · ‎01-02-2023

Use a temporary field, and only keep the results if the condition is true

| rex field=field_to_extract_from "pre-anchor(?<temporary_field>match expression)post-anchor"
| eval field_to_keep=if(condition,temporary_field,field_to_keep)

Splunk_User88 · ‎01-02-2023

Yes i am doing that and storing it in test field but i don't want that

I want the regex to extract value only when if condition is satisfied

ITWhisperer · ‎01-02-2023

If you don't want the temporary field, just remove it

| rex field=field_to_extract_from "pre-anchor(?<temporary_field>match expression)post-anchor"
| eval field_to_keep=if(condition,temporary_field,field_to_keep)
| fields - temporary_field

Execute regex statements only when a condition is met?

eval

field extraction

fields

regex

subsearch

table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!