https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460365#M129891 <P>Awesome thanks!..You answered my question perfectly, and will accept accordingly. However, I now realize that it probably makes more sense for me to "replace" the intervals with a cron schedule with 86400 rather than create a new field called output ( for the sake of writing it to a lookup)...Do you have a way to do that...I can ask it in other question form if you prefer...Thanks again!</P> Wed, 11 Dec 2019 13:58:08 GMT spluzer 2019-12-11T13:58:08Z https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460363#M129889 <P>hello all,</P> <P>I have a lookup with two fields sourcetype and interval ( like below) ..some of the intervals are in seconds (which is great) - However some are in cron like (14 01 * * *) --I need to change the ones in cron to 86400 ...Any ideas </P> <PRE><CODE>sourcetype interval blah 300 blah2 15 01 * * * * blah3 3600 blah4 18 02 * * * </CODE></PRE> <P>Here is my comically bad regex I've been working with, but cant seem to make it work</P> <P>| rest splunk_server=local /services/data/inputs/script<BR /> | search (disabled = 0 AND interval=*)<BR /> | dedup sourcetype<BR /> | eval output=if(match(interval="(\d+)(\d+).(\d).(*).(*).(*)")),"86400","interval")</P> <P>| table sourcetype interval output</P> <P>Thanks!</P> Wed, 11 Dec 2019 13:23:45 GMT https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460363#M129889 spluzer 2019-12-11T13:23:45Z https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460364#M129890 <PRE><CODE>| rest splunk_server=local /services/data/inputs/script | search (disabled = 0 AND interval=*) | eval output=if(match(interval,"^-?\d+$"),"interval","86400") | stats values(interval) as interval values(output) as output by sourcetype </CODE></PRE> <P>Hi, @spluzer<BR /> How about this?</P> Wed, 11 Dec 2019 13:46:18 GMT https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460364#M129890 to4kawa 2019-12-11T13:46:18Z https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460365#M129891 <P>Awesome thanks!..You answered my question perfectly, and will accept accordingly. However, I now realize that it probably makes more sense for me to "replace" the intervals with a cron schedule with 86400 rather than create a new field called output ( for the sake of writing it to a lookup)...Do you have a way to do that...I can ask it in other question form if you prefer...Thanks again!</P> Wed, 11 Dec 2019 13:58:08 GMT https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460365#M129891 spluzer 2019-12-11T13:58:08Z https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460366#M129892 <P>Hi</P> <P>Check this</P> <PRE><CODE>| rest splunk_server=local /services/data/inputs/script | search (disabled = 0 AND interval=*) | eval interval=if(match(interval,"^-?\d+$"),'interval',"86400") | stats values(interval) as interval by sourcetype </CODE></PRE> Wed, 11 Dec 2019 14:30:49 GMT https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460366#M129892 vnravikumar 2019-12-11T14:30:49Z https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460367#M129893 <P>Yep, that does it. I'm an idiot ..lol...Thanks!</P> Wed, 11 Dec 2019 14:39:19 GMT https://community.splunk.com/t5/Splunk-Search/eval-rex-a-field-and-change-its-output/m-p/460367#M129893 spluzer 2019-12-11T14:39:19Z