Solved: I want rex command to return empty string if no ma...

jbrenner · ‎09-04-2024

Let's say I have the following SPL query. Ignore the regexes, thery're not important for the example:

index=abc
| rex field=MESSAGE "aaa(?<FIELD1>bbb)" 
| rex field=MESSAGE "ccc(?<FIELD2>ddd)"
stats count by FIELD1, FIELD2

Right now, the query doesn't return a result unless both fields match, but I still want to return a result if only one field matches. I just want to return an empty string in the field that doesn't match. Is there a way to do this? Thanks!

ITWhisperer · ‎09-04-2024

Use an empty alternative

| rex field=MESSAGE "aaa(?<FIELD1>bbb|)" 
| rex field=MESSAGE "ccc(?<FIELD2>ddd|)"

View solution in original post

jbrenner · ‎09-05-2024

Exactly what I needed. Thanks!

yuanliu · ‎09-04-2024

A common approach is to use fillnull.

index=abc
| rex field=MESSAGE "aaa(?<FIELD1>bbb)" 
| rex field=MESSAGE "ccc(?<FIELD2>ddd)"
| fillnull FIELD1 FIELD2 value=UNSPEC
| stats count by FIELD1, FIELD2
| foreach FIELD1 FIELD2
    [eval <<FIELD>> = if(<<FIELD>> == "UNSPEC", null(), <<FIELD>>)]

This is a made-up dataset based on your regex.

MESSAGE

aaabbbcccddd

aaabbbcccdef

aaabccccddd

abcdefg

The above method gives

FIELD1	FIELD2	count
		1
	ddd	1
bbb		1
bbb	ddd	1

Here is an emulation to produce this data

| makeresults format=csv data="MESSAGE
aaabbbcccddd
aaabbbcccdef
aaabccccddd
abcdefg"
``` the above emulates
index=abc
```

Play with it and compare with real data.

ITWhisperer · ‎09-04-2024

Use an empty alternative

| rex field=MESSAGE "aaa(?<FIELD1>bbb|)" 
| rex field=MESSAGE "ccc(?<FIELD2>ddd|)"

I want rex command to return empty string if no match

rex

stats

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector