Splunk Search

use if else to run different rex

iamniks
Explorer

There is a field JOB_NAME. i want to extract this field contents using an IF statement.

If JOB_NAME=TEST then some regex ELSE some other regex.

Please tell me how to do this as eval if doesnt allow me to use regex in results section

Tags (2)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

You really can't do this, but there's a possible workaround. Run both regexes, and use an eval to merge to a final field..

| rex "(?<job_is_test>REGEX1)" | rex "(?<job_is_not_test>)REGEX2"
| eval finalfield = if(JOB_NAME=="TEST",job_is_test,job_is_not_test)
| fields -job_is_test,job_is_not_test

View solution in original post

nick405060
Motivator

Actually you CAN do this @dwaddle. The hate that map gets from fezhats is crazy. _ fields are a little tricky so I would eval/rename them like I did here.

index=myindex | 

eval no_referrer_regex="MYREGEX1" |

eval referrer_regex="MYREGEX2" |

eval regex=if(_time < 1579250700,no_referrer_regex,referrer_regex) | eval raw=_raw |

map maxsearches=10000 search="| makeresults | eval mapped_raw=\"$$raw$$\" | rex field=mapped_raw \"$$regex$$\"" | table pst pst_epoch id action path num desc browser referrer

A second approach would just be to use ad-hoc searches in SimpleXML to set token values.

dwaddle
SplunkTrust
SplunkTrust

You really can't do this, but there's a possible workaround. Run both regexes, and use an eval to merge to a final field..

| rex "(?<job_is_test>REGEX1)" | rex "(?<job_is_not_test>)REGEX2"
| eval finalfield = if(JOB_NAME=="TEST",job_is_test,job_is_not_test)
| fields -job_is_test,job_is_not_test
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...