Solved: drop null value

riqbal47010 · ‎03-16-2020

I have below query
index=f5 partition="/Common/-" | rex "Username\s+'(?(.*))'" | eval Username=coalesce(Username, user)

username is there but first attempt he left empty and in second try he add his username. so the Username is showing null values whereas the default user field is showing actual username.

I am using coalesce because I want to take either value but it should not be null. How can I achieve this.

manjunathmeti · ‎03-16-2020

Function coalesce assigns the value of user field only if Username field does not exist in that event. But here it is set as empty string (""). Use if instead. below will sets value to user if Username is blank else sets to Username.

index=f5 partition="/Common/-" | rex "Username\s+'(?<Username>.*)'"| eval Username=if(Username == "",  user, Username)

View solution in original post

to4kawa · ‎03-16-2020

index=f5 partition="/Common/-" 
| rex "Username\s+'(?<Username>\w+)'" 
| eval Username=coalesce(Username, user)

your REGEX .* match null value.
How about this?
If Username has -, REGEX is [\w\-]+.

manjunathmeti · ‎03-16-2020

Function coalesce assigns the value of user field only if Username field does not exist in that event. But here it is set as empty string (""). Use if instead. below will sets value to user if Username is blank else sets to Username.

index=f5 partition="/Common/-" | rex "Username\s+'(?<Username>.*)'"| eval Username=if(Username == "",  user, Username)

riqbal47010 · ‎03-16-2020

riqbal47010 · ‎03-16-2020

rmmiller · ‎03-16-2020

Can you provide a sample event?
It sounds like your regular expression might not be working exactly as you expect.

riqbal47010 · ‎03-16-2020

attaching for your kind consideration

drop null value

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?