Re: How to convert the values of multiple fields t...

jvmerilla · ‎06-13-2018

Hi All,

Good day!

I just want to ask for some help here. 🙂

I have multiple fields with the data I'm working on with values, "0, 1, 2, 3, 4, 5, NULL".
Ex.

I replace the "NULL" values and replace it with space, " ", and add all of these fields and put it in a new field with this code:

| replace NULL WITH " " IN "FIELD A" "FIELD B" "FIELD C" "FIELD D" "FIELD E"
| eval newField ="FIELD A" +  " FIELD B" + " FIELD C" + "" FIELD D" + " FIELD E"

But instead of adding the values of the fields, it concatenates it like like this:

Notice that the events where there was a "NULL" values where seem to be treated as a string.

I tried to use the tonumber() function to convert it to string but it doesn't work.
Ex:

|eval "FIELD A" = tonumber("FIELD A")
|eval "FIELD B" = tonumber("FIELD B")
|eval "FIELD C" = tonumber("FIELD C")
|eval "FIELD D" = tonumber("FIELD D")
|eval "FIELD E" = tonumber("FIELD E")

What could be the possible cause of this issue and what could be the solution?

Thanks! 🙂

493669 · ‎06-14-2018

try this:

...|replace NULL with 0|eval newField ='FIELD A' +  'FIELD B' + 'FIELD C' + 'FIELD D' + 'FIELD E'

ansif · ‎06-13-2018

Remove double quotes for newfield calculation and try.

jvmerilla · ‎06-13-2018

Hi @ansif,

I have also tried it already but it still doesn't work.

ansif · ‎06-13-2018

Can I get the raw data?

jvmerilla · ‎06-13-2018

Hi @ansif,

I'm sorry but I cannot provide the raw data to you. But why do you need it?

How to convert the values of multiple fields to number?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...