topic Why are we unable to evaluate a field obtained from rex? in Splunk Search

Why are we unable to evaluate a field obtained from rex?

nilbak1 — Tue, 28 May 2019 17:55:54 GMT

Using below query:

 index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | stats count by classification

Result I am getting is:

classification  count
ORDER   2
Order   120
order   83

Now i want to make this order value as 1 field value like

Order 205

And I trying to do this by converting classification field from string into numeric and then using eval function, but here tonumber function is not working. And I am not able to achieve the required result.

Any help is appreciated.

Re: Why are we unable to evaluate a field obtained from rex?

jodyfsu — Tue, 28 May 2019 18:12:07 GMT

I think, in your rex statement you may need to identify the field.

| rex field=max_match

But, I may be misunderstanding what you have.

If you can provide a sample event I may be able to help more.

Re: Why are we unable to evaluate a field obtained from rex?

nilbak1 — Wed, 30 Sep 2020 00:45:24 GMT

yes i have used below in my query. I am getting the same result.
| rex max_match=0 field=_raw

Sample Event I can't provide here.
its just , not able to convert string to numeric, I have tried all options.
Not sure, why eval function is not working after rex command

Re: Why are we unable to evaluate a field obtained from rex?

richgalloway — Tue, 28 May 2019 20:18:12 GMT

Use the coalesce function to combine several fields into a single field.

index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) | stats count by classification

Re: Why are we unable to evaluate a field obtained from rex?

sayaksplunk — Tue, 28 May 2019 20:24:37 GMT

If your goal is to achieve the output as the sum of the count field irrespective of the case of the contents in the classification field i.e. "Order 205" as per your question then you can try an approach even without rex. Below is the code for the same. This will help you generalize the case of the contents of "Classification" field.

index="incident" sourcetype="csv"
|eval Classification=lower(Classification)
|stats sum(Count) as Count by Classification

Re: Why are we unable to evaluate a field obtained from rex?

nilbak1 — Wed, 29 May 2019 03:11:29 GMT

I am getting no results found under statistics tab. Used below query.

 source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv" | rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) |  stats count by classification

Re: Why are we unable to evaluate a field obtained from rex?

nilbak1 — Wed, 29 May 2019 03:25:00 GMT

Without rex it will not work here as I need to extract field different fields here from events then do their count.

Re: Why are we unable to evaluate a field obtained from rex?

sayaksplunk — Wed, 30 Sep 2020 00:43:32 GMT

I have just modified your query, try if it works:

source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
| rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce("ORDER", "Order", "order") | stats count by classification

Re: Why are we unable to evaluate a field obtained from rex?

nilbak1 — Wed, 29 May 2019 06:38:17 GMT

Its working now
I have used below query. Thanks all for the help 🙂

    source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
    | rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification