Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with replacing values

jameskerivan
Explorer
‎10-14-2015 04:40 PM

Hi,

I have my output I was looking for, but was wondering if there was a cleaner way to do it. Basically I have a field like such f1||f2||f3||f4. f2 and f3 can be null in some cases. If they are null I wanted to replace them with my own string. right now i have this as my query.

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| eval FromAcct = if(FromAcct="null", "Non" ,FromAcct)
| eval ToAcct = if(ToAcct="null", "Non" ,ToAcct)
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc

Now I dont like that i have two evals cases where I use if. I wanted to use eval case but wasn't able to get it to work because of how I parse my field.

Thanks for the help!

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-14-2015 05:08 PM

Like this:

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| replace "null" WITH "Non" IN ToAcct FromAcct
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-14-2015 05:08 PM

Like this:

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| replace "null" WITH "Non" IN ToAcct FromAcct
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc
Reply
Solved! Jump to solution

jameskerivan
Explorer
‎10-15-2015 10:36 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-14-2015 04:45 PM

Hi jameskerivan,

Have you seen the fillnull command. it can replace nulls with a value. Refer to: http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Fillnull

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-14-2015 04:46 PM

Yeah, but he is matching a literal string null - the values aren't actually null, they're filled with a literal value, which just happens to be the string, null. So the fillnull command sadly won't work here.

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-14-2015 04:51 PM

Yes, very true. I'd suggest the rex command then.
...| rex mode=sed field=_raw "s/null/Non/g" |rex field=transaction_type ...
Note: Must happen before the rex field extraction

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...