Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Isn't My String Value (a multivalue field) Being Converted to a Number?

genesiusj
Builder
‎02-25-2020 02:11 PM

Hello,
I've checked many of the Answers pages, but to no avail.

In my table, the value "appears" to be converted from a string to a number. However, in the Interesting Fields, it still appears as alphanumeric.

Here is one line of the event which contains the data I want to convert from string to number.

    SAG.TXT           |          100 B |    6.5 KB/s | ascii  | 100%

Not concerned with the 1st, 4th, or 5th value in this event. Only 100 B and 6.5 KB/s. These have been regexed in props.conf.
file_size=100 B
file_transfer_rate=6.5 KB/s

Here is my SPL.

host=host1
| rex field=file_size "(?<fileSize>\d*)\s"
| rex field=file_transfer_rate "(?<fileTransRate>\d*.\d{1,6})"

| eval fs1=trim(fileSize)
| eval fs2=tonumber(trim(fileSize))
| convert rmunit(file_size) AS fs3

| table file_size, fileSize, fs1, fs2, fs3

Here are the results.
alt text

file_size is a string
fileSize appears to a number
fs1 appears to a number
fs2 is blank
fs3 appears to a number

However, here are the Interesting Fields.
alt text

All of them are alphanumeric, and fs2 is not present.

Thanks in advance for any guidance.
God bless,
Genesius

UPDATE
I have not worked with multivalue fields before. I didn't know that certain commands will not work on multivalue fields. Apologies for not mentioning in the original post.

Any ideas with this new information?

Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

genesiusj
Builder
‎02-26-2020 08:27 AM

@ to4kawa and @manjunathmeti
Thank you for your answers. I updated my original post adding that these are multi-value fields.

I found these two posts to be very helpful.

How to expand multiple multivalue fields?
How do you MVZIP more than one field?

Using a combination of these posts, I came up with this final code.

host=host1
| eval zipped=mvzip(file_name,mvzip(file_size,mvzip(file_transfer_rate,file_percent_complete,"##"),"##"),"##")

| mvexpand zipped
| rex field=zipped "(?<mvFileName>.*)##(?<mvFileSize1>.*)##(?<mvFileTransRate1>.*)##(?<mvFilePercComp>.*)"

| rex field=mvFileSize1 "(?<mvFileSize2>\d*)\s(?<mvByteUnit1>\w{1,2})"
| rex field=mvFileTransRate1 "(?<mvFileTransRate2>\d*.\d{1,6})\s(?<mvByteUnit2>\w{1,2}\/s)"

| eval fileSizeNum=tonumber(trim(mvFileSize2))
| eval fileTransRateNum=tonumber(trim(mvFileTransRate2))

| eval fileSizeNum2=case(mvByteUnit1="KB",fileSizeNum*1024,mvByteUnit1="B",fileSizeNum)
| eval fileTransRateNum2=fileTransRateNum*1024

| eval transTime1=fileSizeNum/fileTransRateNum
| eval transTime2=round(transTime1,2)

| eval "Event Time"=strftime(_time,"%c")

| rename mvFileName AS "File Name", transTime2 AS "Transfer Time (sec)", mvFileSize1 AS "File Size", mvFileTransRate1 AS "Transfer Rate", mvFilePercComp AS "% Complete"

| table "Event Time", "File Name", "Transfer Time (sec)", "File Size", "Transfer Rate", "% Complete"

Thanks and God bless,
Genesius

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

genesiusj
Builder
‎02-26-2020 08:27 AM

@ to4kawa and @manjunathmeti
Thank you for your answers. I updated my original post adding that these are multi-value fields.

I found these two posts to be very helpful.

How to expand multiple multivalue fields?
How do you MVZIP more than one field?

Using a combination of these posts, I came up with this final code.

host=host1
| eval zipped=mvzip(file_name,mvzip(file_size,mvzip(file_transfer_rate,file_percent_complete,"##"),"##"),"##")

| mvexpand zipped
| rex field=zipped "(?<mvFileName>.*)##(?<mvFileSize1>.*)##(?<mvFileTransRate1>.*)##(?<mvFilePercComp>.*)"

| rex field=mvFileSize1 "(?<mvFileSize2>\d*)\s(?<mvByteUnit1>\w{1,2})"
| rex field=mvFileTransRate1 "(?<mvFileTransRate2>\d*.\d{1,6})\s(?<mvByteUnit2>\w{1,2}\/s)"

| eval fileSizeNum=tonumber(trim(mvFileSize2))
| eval fileTransRateNum=tonumber(trim(mvFileTransRate2))

| eval fileSizeNum2=case(mvByteUnit1="KB",fileSizeNum*1024,mvByteUnit1="B",fileSizeNum)
| eval fileTransRateNum2=fileTransRateNum*1024

| eval transTime1=fileSizeNum/fileTransRateNum
| eval transTime2=round(transTime1,2)

| eval "Event Time"=strftime(_time,"%c")

| rename mvFileName AS "File Name", transTime2 AS "Transfer Time (sec)", mvFileSize1 AS "File Size", mvFileTransRate1 AS "Transfer Rate", mvFilePercComp AS "% Complete"

| table "Event Time", "File Name", "Transfer Time (sec)", "File Size", "Transfer Rate", "% Complete"

Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-26-2020 02:06 AM

Just use convert command with rmunit function, rmunit looks for numbers at the beginning of the value and removes trailing text and provides output in numerical values.

host=host1 | convert rmunit(file_size) AS fileSize, rmunit(file_transfer_rate) AS fileTransRate
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...