- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rex in If else ladder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rex in If else ladder
Hi, I am running the below query and want to print 0 for the keyword that is not matched , can this be possible to give the query like this... this gives me some error, please help me to correct this query :
index="maa" | table Name Age Location | eval a=if((rex field="Location" (?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might want to try putting the rex command separately and then piping it to your eval statements. Lets see about highlighting the areas of your search to look at...
index="maa" | table Name Age Location | eval a=if((rex field="Location" (?<one>(?i)"abhay")),0,ONE)| eval ONE=lower(ONE) | chart count(ONE) by ONE ]
Lets break down the eval statement:
| eval a=if((rex field="Location" (?<one>(?i)"abhay")),0,ONE)
It looks like you want to create a field named "a" which will contain a value of either "0" or "ONE". You are also looking to create a field with the rex command named "one" with the value of "abhay". If all you are doing is wanting to create a field with a specific value, then you do not need to use a regex extraction to create the field. Considering that the field "Location" already exists with that value, then you could simply use that in your eval as such:
| eval a=if(Location =="abhay", 0, ONE)
However, if you are looking to do the regex extraction anyway, then you could do so before piping it to your eval statement, which would look like this:
|rex field="Location" "(?i)(?<one>\"abhay\")" | eval a=if(one == "abhay", 0, ONE)
Now considering that you do not have a field named "ONE" but are trying to use it in the next eval statement and with the chart command, I am assuming that you would like to use the "one" field as "ONE". That would leave use with two search options depending on if my assumptions for what you are looking to do are correct or not. Below are two simplified and cleaned up searches that should give you what you are looking for. (I am also assuming that the last ']' in your search is a typo)
With the rex command:
index="maa" | table Name Age Location | rex field="Location" "(?i)(?<one>\"abhay\")" | eval ONE=if(one == "abhay", 0, ONE) | eval ONE=lower(ONE) | chart count(ONE) by ONE
Without the rex command:
index="maa" | table Name Age Location | eval ONE=if(Location == "abhay", 0, ONE) | eval ONE=lower(ONE) | chart count(ONE) by ONE
One last possibility that you may be considering is to use the rex command to grab all field values "abhay" and to run your eval despite case sensitivity. In that case the search with the rex command should be the one you want to use.
If this answer helped you, please don't forget to vote!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 2 keywords and I am running query :
index="maa" | table Name Age Location | rex field="Location" (?
Out of two keywords ( kol,delhi), Location field is matching only "kol" keyword and I am getting my output as :
kol 10
but I want to get my output as
kol 10
delhi 0
because if there is no match then it should print 0 along with the keyword as above
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
