Solved: Rex how to return static text instead of unmatched...

giovere · ‎07-15-2014

I'm trying to apply a regular expression on input, if regex is not matched I'd like to return a static text as a field value (NULL for example). Splunk 4.3.7.

My current query looks like this, but this would return anything only if all rexes are matched, in example below just first line would work.
Any suggestions how can I get it working?

... | rex "Name=(?.+?);" | rex "Age=?(?.+?);" | rex "Weight=?(?.+?);"

Input:

Some random text; Name=Ruby; Age=18; yada yada; Weight=50

Some random text; Name=Bon; Age=19;

Some random text; Age=18; yada yada; Weight=52

Desired output

Name,Age,Weight

Ruby,18,50

Bon,19,NULL

NULL,18,52

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

View solution in original post

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

Rex how to return static text instead of unmatched field?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Rex how to return static text instead of unmatched field?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...