How to extract a field that can possibly have null...

chengka · ‎01-22-2015

I have managed to create many field extractions, but my latest has me stumped.

My events are formatted by a vendor, so I can't change them. My goal is to extract fields for the bolded items in a way that I can search and report on them. Typically the value exists between the (). Most of them are easy but I don't know how to deal with the fields like MCAUSER which only contains '' between the () and TRIGGER/NOTRIGGER which are one of the other.

My current extraction creates a field of MCAUSER = BADUSER for event 2, but no MCAUSER field at all for event 1. Here is my current regex
^**[\S\W.]+MCAUSER('(?P[^']+)

Event 1
DEFINE CHANNEL('SYSTEM.DEF.SVRCONN') CHLTYPE(SVRCONN) REPLACE+
DESCR('') +
MCAUSER('') +
TRIGGER +
HBINT(300)

Event 2
DEFINE CHANNEL('SYSTEM.ALT.SVRCONN') CHLTYPE(SVRCONN) REPLACE +
DESCR('') +
MCAUSER('BADUSER') +
NOTRIGGER +
HBINT(300)

My other thought is perhaps I could get away with a search that identifies events that do not contain a field MCAUSER, "NOT MCAUSER=*" seems to work, but without a value, I can't seem to create a count which includes the '' via "| stats count by MCAUSER"

_d_ · ‎01-26-2015

Try this regex:

MCAUSER\('(?<MCAUSER>[^']*)'\)

that will look for the string MCAUSER and extract everything between (' and ') in a field called MCAUSER

ShaneNewman · ‎01-26-2015

Have you considered using fillnull value="some value" MCAUSER | stats count by MCAUSER ? Maybe I am not fully understanding your question...

How to extract a field that can possibly have null values?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms