Solved: use of rex result in an eval, convert to number

grantsmiley · ‎05-17-2018

I have a long rex command that generates a bunch of fields, this works perfectly. In the left side field explorer in verbose mode, Splunk identifies the two fields as numbers with a # next to the field names, however executing an eval results in no result/null. If I do a string operation, I get the expected result. I tried this:

|convert num(FieldA)|convert num(FieldB) |eval Result=FieldA+FieldB

to add the two numbers together and the result I get looks like this:
Field A: 12345
Field B: 678
Result: 12345 678

when I hoped for: 13023

What am I missing here?

niketn · ‎05-17-2018

@grantsmiley would it be possible for you to share your rex and sample data on which rex is applied?

Seems like your regular expression is adding whitespace character to either fieldA or fieldB or both. Hence they are treated as String. You should reevaluate/test your regular Expression on regex101.con to ensure that they are only extracting numeric part.

Following is a run anywhere example with this kind of issue. I have used trim() function to remove whitespace after fieldA. However, it is better to be resolved during field extraction using Regular Expression.

|  makeresults
|  eval _raw="fieldA=120 ;fieldB=130"
|  rex field=_raw "fieldA=(?<fieldA>[^\;]+)\;fieldB=(?<fieldB>.*)"
|  eval totalString=fieldA+fieldB
|  eval fieldA=trim(fieldA),fieldB=trim(fieldB)
|  eval totalNum=fieldA+fieldB

PS: You can definitely test your fieldA and fieldB using trim() function to see whether they have whitespace character/s added to them.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-17-2018

@grantsmiley would it be possible for you to share your rex and sample data on which rex is applied?

Seems like your regular expression is adding whitespace character to either fieldA or fieldB or both. Hence they are treated as String. You should reevaluate/test your regular Expression on regex101.con to ensure that they are only extracting numeric part.

Following is a run anywhere example with this kind of issue. I have used trim() function to remove whitespace after fieldA. However, it is better to be resolved during field extraction using Regular Expression.

|  makeresults
|  eval _raw="fieldA=120 ;fieldB=130"
|  rex field=_raw "fieldA=(?<fieldA>[^\;]+)\;fieldB=(?<fieldB>.*)"
|  eval totalString=fieldA+fieldB
|  eval fieldA=trim(fieldA),fieldB=trim(fieldB)
|  eval totalNum=fieldA+fieldB

PS: You can definitely test your fieldA and fieldB using trim() function to see whether they have whitespace character/s added to them.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

grantsmiley · ‎05-17-2018

Yup, it was a character. The rex pulls fields out of a 4000 field wide fixed width line of text and is an enormous mess. I had to write a script to take the fixed width definition and write the rex command. It is about 3 screens tall in the query window in splunk. TRIM worked, now getting exactly what I want, I should have some up with that, and thought the convert to number would handle that, apparently not! Thanks !

p_gurav · ‎05-17-2018

Can you give sample event and the regex your are using to extract them? Try to use "\d+" in regex.

use of rex result in an eval, convert to number

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!