- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Cannot eval a field obtained from rex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample data that I am querying on
2012/04/16 10:36:10.290 2012/04/16 10:35:16.333 2980023 811863 jac-datafileupload_0416053513 324 stg_genentech_0017ace 128 32 2012/04/16 10:35:16.333 2012/04/16 10:35:15.793 2012/04/16 10:35:16.767 2012/04/16 10:36:10.273 53506 0 false zsservices\\sd_stg_shared_0017 zsservices\\sd_stg_shared_0017 433 sa-sdhpccmp02 log4net:error xmlconfigurator: failed to find configuration section 'log4net' in the application's .config file. check your .config file for the <log4net> and <configsections> elements. the configuration section should look like: <section name=\"log4net\" type=\"log4net.config.log4netconfigurationsectionhandler,log4net\" />
time to extract package: 4.4772574s
processing file dtbterr.txt.
time taken for preliminary validations: 0.0468006s
time taken to create temp table: 0.1404018s
time taken to update records: 0.0156002s
time taken to insert records: 0.0312004s
time taken to delete records: 0.0312004s
done dtbterr.txt.
My splunk query is something like this
search blah blah blah | rex field=_raw "time to extract package:(?<MYTIME>.*)s.*" | eval XYZ = MYTIME * 100 | fields MYTIME, XYZ
I am getting the correct values for MYTIME. However, when I eval MYTIME * 100, no value is returned. I tried using tonumber(), tostring() etc in vain.
Any help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problems is probably the whitespace, you're extracting into the field as well:
time to extract package: 4.4772574s
^
Using such a regex should work:
... | rex field=_raw "time to extract package:\s*(?<MYTIME>[\d\.]+)s" | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problems is probably the whitespace, you're extracting into the field as well:
time to extract package: 4.4772574s
^
Using such a regex should work:
... | rex field=_raw "time to extract package:\s*(?<MYTIME>[\d\.]+)s" | ...
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
