Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to run a different rex extraction only if anot...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
10-01-2015
02:34 PM
Hi all,
So I'm currently using this extraction:
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)"
However I have found that this is not always present in my data, so I was wondering if there was a way where I could run this (below) rex command only when the first one doesn't find anything?
"| rex "(?m)(?:\n|.)MS:(?<MS>\s+\S+)"
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-01-2015
03:29 PM
Can you provide some sample logs for both patterns?
One dirty workaround would be like this
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)" | rex "(?m)(?:\n|.)MS:(?<MS1>\s+\S+)" | eval MS=coalesce(MS,MS1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-01-2015
03:29 PM
Can you provide some sample logs for both patterns?
One dirty workaround would be like this
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MS:(?<MS>\s+\d+\-\d+\S\S+)" | rex "(?m)(?:\n|.)MS:(?<MS1>\s+\S+)" | eval MS=coalesce(MS,MS1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
10-01-2015
03:49 PM
That worked great! thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
10-01-2015
03:50 PM
If you would like to convert it as an answer I'll accept it for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-01-2015
04:01 PM
Here you go.
Get Updates on the Splunk Community!
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
