Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to run a different rex extraction only if ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
10-01-2015
02:34 PM
Hi all,
So I'm currently using this extraction:
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)"
However I have found that this is not always present in my data, so I was wondering if there was a way where I could run this (below) rex command only when the first one doesn't find anything?
"| rex "(?m)(?:\n|.)MS:(?<MS>\s+\S+)"
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-01-2015
03:29 PM
Can you provide some sample logs for both patterns?
One dirty workaround would be like this
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)" | rex "(?m)(?:\n|.)MS:(?<MS1>\s+\S+)" | eval MS=coalesce(MS,MS1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-01-2015
03:29 PM
Can you provide some sample logs for both patterns?
One dirty workaround would be like this
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)" | rex "(?m)(?:\n|.)MS:(?<MS1>\s+\S+)" | eval MS=coalesce(MS,MS1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
10-01-2015
03:49 PM
That worked great! thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
10-01-2015
03:50 PM
If you would like to convert it as an answer I'll accept it for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-01-2015
04:01 PM
Here you go.
Get Updates on the Splunk Community!
Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year
At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
