Solved: Rex how to return static text instead of unmatched...

giovere · ‎07-15-2014

I'm trying to apply a regular expression on input, if regex is not matched I'd like to return a static text as a field value (NULL for example). Splunk 4.3.7.

My current query looks like this, but this would return anything only if all rexes are matched, in example below just first line would work.
Any suggestions how can I get it working?

... | rex "Name=(?.+?);" | rex "Age=?(?.+?);" | rex "Weight=?(?.+?);"

Input:

Some random text; Name=Ruby; Age=18; yada yada; Weight=50

Some random text; Name=Bon; Age=19;

Some random text; Age=18; yada yada; Weight=52

Desired output

Name,Age,Weight

Ruby,18,50

Bon,19,NULL

NULL,18,52

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

View solution in original post

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

Rex how to return static text instead of unmatched field?

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Rex how to return static text instead of unmatched field?

Splunk App for Anomaly Detection End of Life Announcement

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk