Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract a field that can possibly have null values?

chengka
Explorer
‎01-22-2015 02:23 PM

I have managed to create many field extractions, but my latest has me stumped.

My events are formatted by a vendor, so I can't change them. My goal is to extract fields for the bolded items in a way that I can search and report on them. Typically the value exists between the (). Most of them are easy but I don't know how to deal with the fields like MCAUSER which only contains '' between the () and TRIGGER/NOTRIGGER which are one of the other.

My current extraction creates a field of MCAUSER = BADUSER for event 2, but no MCAUSER field at all for event 1. Here is my current regex
^**[\S\W.]+MCAUSER('(?P[^']+)

Event 1
DEFINE CHANNEL('SYSTEM.DEF.SVRCONN') CHLTYPE(SVRCONN) REPLACE+
DESCR('') +
MCAUSER('') +
TRIGGER +
HBINT(300)

Event 2
DEFINE CHANNEL('SYSTEM.ALT.SVRCONN') CHLTYPE(SVRCONN) REPLACE +
DESCR('') +
MCAUSER('BADUSER') +
NOTRIGGER +
HBINT(300)

My other thought is perhaps I could get away with a search that identifies events that do not contain a field MCAUSER, "NOT MCAUSER=*" seems to work, but without a value, I can't seem to create a count which includes the '' via "| stats count by MCAUSER"

Tags (2)
0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎01-26-2015 09:17 PM

Try this regex: 

MCAUSER\('(?<MCAUSER>[^']*)'\)

that will look for the string MCAUSER and extract everything between (' and ') in a field called MCAUSER

0 Karma
Reply

ShaneNewman
Motivator
‎01-26-2015 07:46 PM

Have you considered using fillnull value="some value" MCAUSER | stats count by MCAUSER ? Maybe I am not fully understanding your question...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...