Solved: Is it possible to do an in-line conditional field ...

SplunkDash · ‎03-15-2023

Hello,

Is it possible to do conditional In Line field extraction in SPLUNK for the following sample data:

Sample Data (3 Events)

tR3225256009BMFTH77770977DF74S58628201804533FGRT

fR6225256009BMFFT77779977TG76S58628201804633TSRD

gR1225256004BMGHL7090997YJK66S58628201804833EDAR

I have done:

(^)(?i)(?<DeprtCode>.{1})(?i)(?<mode_no>.{2})(?i)(?<StudentId>.{9})(?i)(?<BuildingCode>.{5})(?i)(?<Code>.{2})(?i)

Help Needed to Extract Field under following conditions:

If from character # 20-25 (6 Characters) are all Numerics then extract those 6 characters as Account_no, if those 6 characters are not all Numerics (like sample event 3) then extract all characters from 20-46 as no_Account

Is it possible? Any recommendations will be highly appreciated. Thank you!

yuanliu · ‎03-15-2023

As I always say, as long as it is mathematical, everything is possible.

| rex "^.{19}(?<Account_no>\d{6})"
| rex "^.{19}(?<no_Account>.+)"
| eval no_Account = if(isnull(Account_no), no_Account, null())

Account_no	_raw	no_Account
770977	tR3225256009BMFTH77770977DF74S58628201804533FGRT
779977	fR6225256009BMFFT77779977TG76S58628201804633TSRD
	gR1225256004BMGHL7090997YJK66S58628201804833EDAR	90997YJK66S58628201804833EDAR

View solution in original post

yuanliu · ‎03-15-2023

As I always say, as long as it is mathematical, everything is possible.

| rex "^.{19}(?<Account_no>\d{6})"
| rex "^.{19}(?<no_Account>.+)"
| eval no_Account = if(isnull(Account_no), no_Account, null())

Account_no	_raw	no_Account
770977	tR3225256009BMFTH77770977DF74S58628201804533FGRT
779977	fR6225256009BMFFT77779977TG76S58628201804633TSRD
	gR1225256004BMGHL7090997YJK66S58628201804833EDAR	90997YJK66S58628201804833EDAR

SplunkDash · ‎03-15-2023

Hello @yuanliu

Thank you so much for your quick response. Are there any ways with your mathematical magic, we can incorporate that extraction into my:

(^)(?i)(?<DeprtCode>.{1})(?i)(?<mode_no>.{2})(?i)(?<StudentId>.{9})(?i)(?<BuildingCode>.{5})(?i)(?<Code>.{2})(?i)

yuanliu · ‎03-16-2023

Not sure what you mean by incorporate. If you want the two extra field Account_no and No_Acccount, simply add the search to your search. Here's an alternative method:

| rex "(^)(?i)(?<DeprtCode>.{1})(?i)(?<mode_no>.{2})(?i)(?<StudentId>.{9})(?i)(?<BuildingCode>.{5})(?i)(?<Code>.{2})(?i)"
| rex "^.{19}(?<Account_no>\d{6})"
| eval no_Account = if(isnull(Account_no), replace(_raw, ".{19}", ""), null())

Either way, you get

Account_no	BuildingCode	Code	DeprtCode	StudentId	mode_no	no_Account
770977	BMFTH	77	t	225256009	R3
779977	BMFFT	77	f	225256009	R6
	BMGHL	70	g	225256004	R1	804833EDAR

ITWhisperer · ‎03-16-2023

Given that you have no anchor text (alphabetic or not), you don't need "(?i)"

| rex "^(?<DeprtCode>.)(?<mode_no>..)(?<StudentId>.{9})(?<BuildingCode>.{5})(?<Code>..)(?<Account_no>\d{6})"
| rex "^(?<DeprtCode>.)(?<mode_no>..)(?<StudentId>.{9})(?<BuildingCode>.{5})(?<Code>..)(?<no_Account>.+)"
| eval no_Account = if(isnull(Account_no), no_Account, null())

SplunkDash · ‎03-16-2023

@ITWhisperer

Thank you so much for your quick response. How I would incorporate this code into SPLUNK IN-Line extraction code?

Is it possible to do an in-line conditional field extraction?

field extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!