Solved: Rex how to return static text instead of unmatched...

giovere · ‎07-15-2014

I'm trying to apply a regular expression on input, if regex is not matched I'd like to return a static text as a field value (NULL for example). Splunk 4.3.7.

My current query looks like this, but this would return anything only if all rexes are matched, in example below just first line would work.
Any suggestions how can I get it working?

... | rex "Name=(?.+?);" | rex "Age=?(?.+?);" | rex "Weight=?(?.+?);"

Input:

Some random text; Name=Ruby; Age=18; yada yada; Weight=50

Some random text; Name=Bon; Age=19;

Some random text; Age=18; yada yada; Weight=52

Desired output

Name,Age,Weight

Ruby,18,50

Bon,19,NULL

NULL,18,52

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

View solution in original post

somesoni2 · ‎07-15-2014

Try this

your base search | rex "Name=(?<name>\w+)" | rex "Age=?(?<age>\w+)" | rex "Weight=?(?<weight>\w+)" | fillnull value=NULL

Rex how to return static text instead of unmatched field?

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Rex how to return static text instead of unmatched field?

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+