- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- use of rex result in an eval, convert to number
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a long rex command that generates a bunch of fields, this works perfectly. In the left side field explorer in verbose mode, Splunk identifies the two fields as numbers with a # next to the field names, however executing an eval results in no result/null. If I do a string operation, I get the expected result. I tried this:
|convert num(FieldA)|convert num(FieldB) |eval Result=FieldA+FieldB
to add the two numbers together and the result I get looks like this:
Field A: 12345
Field B: 678
Result: 12345 678
when I hoped for: 13023
What am I missing here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@grantsmiley would it be possible for you to share your rex and sample data on which rex is applied?
Seems like your regular expression is adding whitespace character to either fieldA or fieldB or both. Hence they are treated as String. You should reevaluate/test your regular Expression on regex101.con to ensure that they are only extracting numeric part.
Following is a run anywhere example with this kind of issue. I have used trim() function to remove whitespace after fieldA. However, it is better to be resolved during field extraction using Regular Expression.
| makeresults
| eval _raw="fieldA=120 ;fieldB=130"
| rex field=_raw "fieldA=(?<fieldA>[^\;]+)\;fieldB=(?<fieldB>.*)"
| eval totalString=fieldA+fieldB
| eval fieldA=trim(fieldA),fieldB=trim(fieldB)
| eval totalNum=fieldA+fieldB
PS: You can definitely test your fieldA and fieldB using trim() function to see whether they have whitespace character/s added to them.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@grantsmiley would it be possible for you to share your rex and sample data on which rex is applied?
Seems like your regular expression is adding whitespace character to either fieldA or fieldB or both. Hence they are treated as String. You should reevaluate/test your regular Expression on regex101.con to ensure that they are only extracting numeric part.
Following is a run anywhere example with this kind of issue. I have used trim() function to remove whitespace after fieldA. However, it is better to be resolved during field extraction using Regular Expression.
| makeresults
| eval _raw="fieldA=120 ;fieldB=130"
| rex field=_raw "fieldA=(?<fieldA>[^\;]+)\;fieldB=(?<fieldB>.*)"
| eval totalString=fieldA+fieldB
| eval fieldA=trim(fieldA),fieldB=trim(fieldB)
| eval totalNum=fieldA+fieldB
PS: You can definitely test your fieldA and fieldB using trim() function to see whether they have whitespace character/s added to them.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup, it was a character. The rex pulls fields out of a 4000 field wide fixed width line of text and is an enormous mess. I had to write a script to take the fixed width definition and write the rex command. It is about 3 screens tall in the query window in splunk. TRIM worked, now getting exactly what I want, I should have some up with that, and thought the convert to number would handle that, apparently not! Thanks !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give sample event and the regex your are using to extract them? Try to use "\d+" in regex.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
