Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extractions with default value

ltruesda
Explorer
‎12-17-2013 12:43 PM

Can a field extraction be devised so that it has a default value when the regex is not matched?

I have defined an extracted field based on a regex which matches a specific pattern in an event. The resulting field will contain the matched data if it was present and the field will not exist for an event where the pattern was not matched.

All that is good.

However, for the cases where the pattern did not match, I would rather the field exist and contain a hyphen ("-").

Within the confines of a field extraction, is there a way to do this? I know I could use fillnull to add the hyphens later, but I'd prefer a more elegant solution.

In no solution exists, I can live with it, but if I can have this, it would streamline my searching.

Thanks!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎12-17-2013 10:37 PM

You could use calculated fields if you want to avoid using searches to populate the value.

In this snippet from props.conf, bytes_out will always be populated to 0 if it was null:

[somesourcetype]
EVAL-bytes_out = if(isnull(bytes_out),0,bytes_out)

The normal eval functions should work. Note that calculated fields was included starting with Splunk 5.0 so it won't work on 4.X or earlier.

View solution in original post

Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎12-17-2013 10:37 PM

You could use calculated fields if you want to avoid using searches to populate the value.

In this snippet from props.conf, bytes_out will always be populated to 0 if it was null:

[somesourcetype]
EVAL-bytes_out = if(isnull(bytes_out),0,bytes_out)

The normal eval functions should work. Note that calculated fields was included starting with Splunk 5.0 so it won't work on 4.X or earlier.

Reply
Solved! Jump to solution

ltruesda
Explorer
‎12-18-2013 04:25 PM

Thanks, just what the doctor ordered! 🙂

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-17-2013 12:58 PM

You can simply use the command fillnull at search time to get what you want.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/fillnull

Like so:

| fillnull value="-"

Where needs to be the field that you want to add hyphens instead of not having the field.

Hope this helps

Reply
Solved! Jump to solution

aholzer
Motivator
‎12-18-2013 06:09 AM

Guess I should read peoples questions more carefully 🙂

Take a look at Luke's answer. Looks promising.

0 Karma
Reply
Solved! Jump to solution

ltruesda
Explorer
‎12-17-2013 01:51 PM

As mentioned in my question I knew about this possibility. But I am hoping to have this populated at extraction time and simplify my searches.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-17-2013 01:43 PM

Fair enough @Ayn 🙂

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-17-2013 01:08 PM

I converted your comment into an answer - if it's an answer please put it in as one 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top