Splunk Search

How to force rex to extract a field with numeric type

alange
Explorer

(Splunk 4.3.2, in case it makes a difference)

I'm using rex to extract a sequence of digits, and I'd like Splunk to treat it as a numeric field, rather than categorical - so the automatic summary data in the field list will give min, max, mean and stdev.

 | rex field=_raw "Time=(?P<mytime>\d+)ms"

but field mytime shows up as (categorical) with no useful statistics.

Is there any way to make Splunk recognize this is actually a numeric field?

Tags (1)
0 Karma

lukejadamec
Super Champion

Try to pipe the results of your rex to a convert like this.

| rex field=_raw "Time=(?P<mytime>\d+)ms" | convert num(mytime)

If you're looking for different types of numerics, then review this doc:

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Convert

0 Karma

lukejadamec
Super Champion

If convert does not work, then the documentation says that eval should.
... | eval mytime=tonumber(mystring)

0 Karma

lukejadamec
Super Champion

Sorry, I must have mis-understood the documentation:
"Synopsis
Converts field values into numerical values."

Did you try auto instead of num?

0 Karma

alange
Explorer

Just tested - the above command does NOT convert the field from categorical to numeric. Looking at the documentation, it seems designed to convert other representations (for example, hh:mm:ss) into integers for easier comparison

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...