Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display default value in rex statements if the value is blank?

manojchacko78
Path Finder
‎11-11-2022 05:20 AM

Hi,

I am using the following script in Splunk query. Here i am trying having multiple values in field AdditionalData

and splitting them to extract the fields and writing to separate fields. Now if there is any blank value, in any of these extract fields, i want to have the default value appear as Not Available. 

Thanks in advance

| eval "AddtionalData"=if(isnotnull('cip:AuditMessage.ExtraData'),'cip:AuditMessage.ExtraData',"Not Available")
| rex field=AddtionalData "Legal employer name:(?<LegalEmployerName>[^,]+)"
| rex field=AddtionalData "Legal entity:(?<LegalEntity>[^,]+)"
| rex field=AddtionalData "Country:(?<Country>[^,]+)"
| rex field=AddtionalData "Business unit:(?<BusinessUnit>[^,]+)"

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2022 05:26 AM

Hi @manojchacko78,

yu could try fill null:

<your_search>
| eval "AddtionalData"=if(isnotnull('cip:AuditMessage.ExtraData'),'cip:AuditMessage.ExtraData',"Not Available")
| rex field=AddtionalData "Legal employer name:(?<LegalEmployerName>[^,]*)"
| rex field=AddtionalData "Legal entity:(?<LegalEntity>[^,]*)"
| rex field=AddtionalData "Country:(?<Country>[^,]*)"
| rex field=AddtionalData "Business unit:(?<BusinessUnit>[^,]*)"
| fillnull value="Not  Available" LegalEmployerName
| fillnull value="Not  Available" LegalEntity
| fillnull value="Not  Available" Country
| fillnull value="Not  Available" BusinessUnit

remember in your regexes, to use "*" instead "+" when you could have no values.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

manojchacko78
Path Finder
‎11-11-2022 06:02 AM

Thanks a lot @gcusello. You are an angel 🙂

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2022 06:03 AM

Hi @manojchacko78,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2022 05:26 AM

Hi @manojchacko78,

yu could try fill null:

<your_search>
| eval "AddtionalData"=if(isnotnull('cip:AuditMessage.ExtraData'),'cip:AuditMessage.ExtraData',"Not Available")
| rex field=AddtionalData "Legal employer name:(?<LegalEmployerName>[^,]*)"
| rex field=AddtionalData "Legal entity:(?<LegalEntity>[^,]*)"
| rex field=AddtionalData "Country:(?<Country>[^,]*)"
| rex field=AddtionalData "Business unit:(?<BusinessUnit>[^,]*)"
| fillnull value="Not  Available" LegalEmployerName
| fillnull value="Not  Available" LegalEntity
| fillnull value="Not  Available" Country
| fillnull value="Not  Available" BusinessUnit

remember in your regexes, to use "*" instead "+" when you could have no values.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...