- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extractions with default value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can a field extraction be devised so that it has a default value when the regex is not matched?
I have defined an extracted field based on a regex which matches a specific pattern in an event. The resulting field will contain the matched data if it was present and the field will not exist for an event where the pattern was not matched.
All that is good.
However, for the cases where the pattern did not match, I would rather the field exist and contain a hyphen ("-").
Within the confines of a field extraction, is there a way to do this? I know I could use fillnull to add the hyphens later, but I'd prefer a more elegant solution.
In no solution exists, I can live with it, but if I can have this, it would streamline my searching.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use calculated fields if you want to avoid using searches to populate the value.
In this snippet from props.conf, bytes_out will always be populated to 0 if it was null:
[somesourcetype]
EVAL-bytes_out = if(isnull(bytes_out),0,bytes_out)
The normal eval functions should work. Note that calculated fields was included starting with Splunk 5.0 so it won't work on 4.X or earlier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use calculated fields if you want to avoid using searches to populate the value.
In this snippet from props.conf, bytes_out will always be populated to 0 if it was null:
[somesourcetype]
EVAL-bytes_out = if(isnull(bytes_out),0,bytes_out)
The normal eval functions should work. Note that calculated fields was included starting with Splunk 5.0 so it won't work on 4.X or earlier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, just what the doctor ordered! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can simply use the command fillnull at search time to get what you want.
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/fillnull
Like so:
Where
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guess I should read peoples questions more carefully 🙂
Take a look at Luke's answer. Looks promising.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As mentioned in my question I knew about this possibility. But I am hoping to have this populated at extraction time and simplify my searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fair enough @Ayn 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I converted your comment into an answer - if it's an answer please put it in as one 🙂
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
