Solved: Rex how to return static text instead of unmatched...

giovere · ‎07-15-2014

I'm trying to apply a regular expression on input, if regex is not matched I'd like to return a static text as a field value (NULL for example). Splunk 4.3.7.

My current query looks like this, but this would return anything only if all rexes are matched, in example below just first line would work.
Any suggestions how can I get it working?

... | rex "Name=(?.+?);" | rex "Age=?(?.+?);" | rex "Weight=?(?.+?);"

Input:

Some random text; Name=Ruby; Age=18; yada yada; Weight=50

Some random text; Name=Bon; Age=19;

Some random text; Age=18; yada yada; Weight=52

Desired output

Name,Age,Weight

Ruby,18,50

Bon,19,NULL

NULL,18,52

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

View solution in original post

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

Rex how to return static text instead of unmatched field?

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest