Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with replacing values

jameskerivan
Explorer
‎10-14-2015 04:40 PM

Hi,

I have my output I was looking for, but was wondering if there was a cleaner way to do it. Basically I have a field like such f1||f2||f3||f4. f2 and f3 can be null in some cases. If they are null I wanted to replace them with my own string. right now i have this as my query.

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| eval FromAcct = if(FromAcct="null", "Non" ,FromAcct)
| eval ToAcct = if(ToAcct="null", "Non" ,ToAcct)
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc

Now I dont like that i have two evals cases where I use if. I wanted to use eval case but wasn't able to get it to work because of how I parse my field.

Thanks for the help!

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-14-2015 05:08 PM

Like this:

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| replace "null" WITH "Non" IN ToAcct FromAcct
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-14-2015 05:08 PM

Like this:

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| replace "null" WITH "Non" IN ToAcct FromAcct
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc
Reply
Solved! Jump to solution

jameskerivan
Explorer
‎10-15-2015 10:36 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-14-2015 04:45 PM

Hi jameskerivan,

Have you seen the fillnull command. it can replace nulls with a value. Refer to: http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Fillnull

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-14-2015 04:46 PM

Yeah, but he is matching a literal string null - the values aren't actually null, they're filled with a literal value, which just happens to be the string, null. So the fillnull command sadly won't work here.

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-14-2015 04:51 PM

Yes, very true. I'd suggest the rex command then.
...| rex mode=sed field=_raw "s/null/Non/g" |rex field=transaction_type ...
Note: Must happen before the rex field extraction

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...