Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with replacing values

jameskerivan
Explorer
‎10-14-2015 04:40 PM

Hi,

I have my output I was looking for, but was wondering if there was a cleaner way to do it. Basically I have a field like such f1||f2||f3||f4. f2 and f3 can be null in some cases. If they are null I wanted to replace them with my own string. right now i have this as my query.

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| eval FromAcct = if(FromAcct="null", "Non" ,FromAcct)
| eval ToAcct = if(ToAcct="null", "Non" ,ToAcct)
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc

Now I dont like that i have two evals cases where I use if. I wanted to use eval case but wasn't able to get it to work because of how I parse my field.

Thanks for the help!

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-14-2015 05:08 PM

Like this:

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| replace "null" WITH "Non" IN ToAcct FromAcct
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-14-2015 05:08 PM

Like this:

rex field=transaction_type "(?<TransferType>.)||(?<FromAcct>.)||(?<ToAcct>.)||(?<When>.)"
| replace "null" WITH "Non" IN ToAcct FromAcct
| stats count by TransferType, FromAcct, ToAcct, When
| sort count desc
Reply
Solved! Jump to solution

jameskerivan
Explorer
‎10-15-2015 10:36 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-14-2015 04:45 PM

Hi jameskerivan,

Have you seen the fillnull command. it can replace nulls with a value. Refer to: http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Fillnull

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-14-2015 04:46 PM

Yeah, but he is matching a literal string null - the values aren't actually null, they're filled with a literal value, which just happens to be the string, null. So the fillnull command sadly won't work here.

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-14-2015 04:51 PM

Yes, very true. I'd suggest the rex command then.
...| rex mode=sed field=_raw "s/null/Non/g" |rex field=transaction_type ...
Note: Must happen before the rex field extraction

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...