index=os source=df host=host1 | multikv | rex mode=sed "s/%//" | search Filesystem="/dev/mapper/host1.work" | delta UsePct | table *
Without looking at the table it appears the rex command worked. However, no values are shown for the field delta(UsePct) and the '%' remains in the table output
index=os source=df host=host1 | multikv | rex mode=sed field=UsePct "s/%//" | search Filesystem="/dev/mapper/host1.work" | delta UsePct | table *
Values are shown for the field delta(UsePct). No percent remains in the output.
It just seems odd to me that I need to specify the field option for the rex command to get the delta command to actually get a non % based number.
If you don't specify a field, rex
just operates on the _raw
field, which may look like it's working, but hasn't changed the value of UsePct
(which was extracted from _raw
by the multikv
command, prior to the rex
command).
If you don't specify a field, rex
just operates on the _raw
field, which may look like it's working, but hasn't changed the value of UsePct
(which was extracted from _raw
by the multikv
command, prior to the rex
command).
From: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex
Description: Matches the value of the field against the unanchored regex and extracts the Perl regex named groups into fields of the corresponding names. If mode is set to 'sed' the given sed expression will be applied to the value of the chosen field (or to _raw if a field is not specified).