- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use rex in Calculated Fields?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use rex in Calculated Fields?
Hi,
I'm new to this forum and Splunk in general, so thank you in advance for all your help.
I'm trying to use rex in Calculated fields to extract some text and then further format it.
The rex itself looks like this:
rex field=source(?\d{4}-\d{2})
but when I pass it along to the Eval Expression field, I'm getting the following error message:
Encountered the following error while trying to save: In handler 'props-eval': Invalid operator
The regex works fine in Search.
Any help will be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can eval the results of extractions performed with rex, but you can't eval them in the rex itself (nor can you rex inside an eval).
Try it in two steps.
rex field=_raw "purple\s+widgets\s+(?<purplewidgets>\d+)\s+orange\s+widgets\s+(?<orangewidgets>\d+)"
| eval totalwidgets=orangewidgets+purplewidgets
Assuming you have an event like
somedatetime, purple widgets 5 orange widgets 3
What pops out the other end will be, among some other fluff,
orangewidgets purplewidgets totalwidgets
3 5 8
If you want to confirm, this is the exact, run-anywhere search you can test with.
| gentimes start="1/1/2016" end="1/2/2016"
| eval myval="somedatetime, purple widgets 5 orange widgets 3"
| rex field=myval "purple\s+widgets\s+(?<purplewidgets>\d+)\s+orange\s+widgets\s+(?<orangewidgets>\d+)"
| eval totalwidgets=orangewidgets+purplewidgets
Gentimes just creates a single faked up "time" to work with.
I create an "event" to work with with the first eval.
The rex parses the field myval that I just created and extracts the digits for purple and orange widgets
The last eval does some math with them to find a total.
If instead you are trying to do a rex on a field you've created - well, as far as I know that works as long as it's a string and may work regardless. You can see I do that with "myval" above, in fact!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rex itself is a command, not a function that can be used within EVAL in search/ calculated fields. If you can provide some sample values and the formatting you're planning to do, we can suggest alternatives. My first guess will be the replace function which comes with eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I was able to accomplish my goal using replace()
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you somesoni2. In this case I think I can figure something out using substrings, I read somewhere it's possible to use rex with Calculated Fields, but I guess it's not 😉
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
