Solved: Re: How to run a different rex extraction only if ...

raby1996 · ‎10-01-2015

Hi all,

So I'm currently using this extraction:

| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)"

However I have found that this is not always present in my data, so I was wondering if there was a way where I could run this (below) rex command only when the first one doesn't find anything?

 "| rex "(?m)(?:\n|.)MS:(?<MS>\s+\S+)"

Thank you.

somesoni2 · ‎10-01-2015

Can you provide some sample logs for both patterns?
One dirty workaround would be like this

| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)" | rex "(?m)(?:\n|.)MS:(?<MS1>\s+\S+)" | eval MS=coalesce(MS,MS1)

View solution in original post

somesoni2 · ‎10-01-2015

Can you provide some sample logs for both patterns?
One dirty workaround would be like this

| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)" | rex "(?m)(?:\n|.)MS:(?<MS1>\s+\S+)" | eval MS=coalesce(MS,MS1)

raby1996 · ‎10-01-2015

That worked great! thank you

raby1996 · ‎10-01-2015

If you would like to convert it as an answer I'll accept it for you

somesoni2 · ‎10-01-2015

Here you go.

How to run a different rex extraction only if another rex extraction did not find anything to extract?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!