Solved: Re: use if else to run different rex

iamniks · ‎05-07-2014

There is a field JOB_NAME. i want to extract this field contents using an IF statement.

If JOB_NAME=TEST then some regex ELSE some other regex.

Please tell me how to do this as eval if doesnt allow me to use regex in results section

dwaddle · ‎05-07-2014

You really can't do this, but there's a possible workaround. Run both regexes, and use an eval to merge to a final field..

| rex "(?<job_is_test>REGEX1)" | rex "(?<job_is_not_test>)REGEX2"
| eval finalfield = if(JOB_NAME=="TEST",job_is_test,job_is_not_test)
| fields -job_is_test,job_is_not_test

View solution in original post

nick405060 · ‎01-17-2020

Actually you CAN do this @dwaddle. The hate that map gets from fezhats is crazy. _ fields are a little tricky so I would eval/rename them like I did here.

index=myindex | 

eval no_referrer_regex="MYREGEX1" |

eval referrer_regex="MYREGEX2" |

eval regex=if(_time < 1579250700,no_referrer_regex,referrer_regex) | eval raw=_raw |

map maxsearches=10000 search="| makeresults | eval mapped_raw=\"$$raw$$\" | rex field=mapped_raw \"$$regex$$\"" | table pst pst_epoch id action path num desc browser referrer

A second approach would just be to use ad-hoc searches in SimpleXML to set token values.

dwaddle · ‎05-07-2014

You really can't do this, but there's a possible workaround. Run both regexes, and use an eval to merge to a final field..

| rex "(?<job_is_test>REGEX1)" | rex "(?<job_is_not_test>)REGEX2"
| eval finalfield = if(JOB_NAME=="TEST",job_is_test,job_is_not_test)
| fields -job_is_test,job_is_not_test

use if else to run different rex

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life