I have a field which contains 2 values for every event as shown below:
Field Name :- Username
Example Values :- A,B
Now from the above example I have defined 2 extra fields first_user and second_user
first_user=A (1st field value from Username)
second_user=B (2nd field value from Username)
Both the above 2 fields work well as long as the Username field has two values but when the Username has only 1 value like the first field(A) is there and the second field(B) is null. I want to display the Null or empty for second_user field but instead right now it just picking up the A value for second_user field.
In order to resolve this, I'm trying to work on a Regex on props.conf by using some if condition and a mvindex command to give the logic something like if the B is null. I want to display null.
Any help on providing the format for regex would be great.
You can setup a calculated field
with this definition:
second_user = coalesce(second_user, "Null")
You can setup a calculated field
with this definition:
second_user = coalesce(second_user, "Null")
See if something like this works for you
thanks @somesoni2 regex works good. Now how can I apply that regex on props.conf what is the syntax for that.
If the original field (which has two Username values) is already extract, then follow solution from this :
https://answers.splunk.com/answers/322843/extract-fields-from-an-already-extracted-field.html
If not, then you can setup based on _raw data but would need to adjust the regex then setup like this
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Exampleconfigurationswithprops.conf
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Exampleconfigurationsusingfieldtransfor...