Splunk Search

Rex in If else ladder

abhayneilam
Contributor

Hi, I am running the below query and want to print 0 for the keyword that is not matched , can this be possible to give the query like this... this gives me some error, please help me to correct this query :

index="maa" | table Name Age Location | eval a=if((rex field="Location" (?(?i)"abhay")),0,ONE)| eval ONE=lower(ONE) | chart count(ONE) by ONE ]

Tags (5)
0 Karma

Rob
Splunk Employee
Splunk Employee

You might want to try putting the rex command separately and then piping it to your eval statements. Lets see about highlighting the areas of your search to look at...

index="maa" | table Name Age Location | eval a=if((rex field="Location" (?<one>(?i)"abhay")),0,ONE)| eval ONE=lower(ONE) | chart count(ONE) by ONE ]

Lets break down the eval statement:

| eval a=if((rex field="Location" (?<one>(?i)"abhay")),0,ONE)

It looks like you want to create a field named "a" which will contain a value of either "0" or "ONE". You are also looking to create a field with the rex command named "one" with the value of "abhay". If all you are doing is wanting to create a field with a specific value, then you do not need to use a regex extraction to create the field. Considering that the field "Location" already exists with that value, then you could simply use that in your eval as such:

| eval a=if(Location =="abhay", 0, ONE)

However, if you are looking to do the regex extraction anyway, then you could do so before piping it to your eval statement, which would look like this:

|rex field="Location" "(?i)(?<one>\"abhay\")" | eval a=if(one == "abhay", 0, ONE)

Now considering that you do not have a field named "ONE" but are trying to use it in the next eval statement and with the chart command, I am assuming that you would like to use the "one" field as "ONE". That would leave use with two search options depending on if my assumptions for what you are looking to do are correct or not. Below are two simplified and cleaned up searches that should give you what you are looking for. (I am also assuming that the last ']' in your search is a typo)

With the rex command:

index="maa" | table Name Age Location | rex field="Location" "(?i)(?<one>\"abhay\")" | eval ONE=if(one == "abhay", 0, ONE) | eval ONE=lower(ONE) | chart count(ONE) by ONE

Without the rex command:

index="maa" | table Name Age Location | eval ONE=if(Location == "abhay", 0, ONE) | eval ONE=lower(ONE) | chart count(ONE) by ONE

One last possibility that you may be considering is to use the rex command to grab all field values "abhay" and to run your eval despite case sensitivity. In that case the search with the rex command should be the one you want to use.

If this answer helped you, please don't forget to vote!

0 Karma

abhayneilam
Contributor

I have 2 keywords and I am running query :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"kol") | eval ONE=lower(ONE) |stats count(ONE) by ONE | append [ search index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval ONE=lower(ONE) |stats count(ONE) by ONE ]

Out of two keywords ( kol,delhi), Location field is matching only "kol" keyword and I am getting my output as :

kol 10
but I want to get my output as

kol 10
delhi 0

because if there is no match then it should print 0 along with the keyword as above

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...