topic Re: string to decimal and use where condition in Splunk Search

string to decimal and use where condition

lain179 — Thu, 04 Apr 2013 00:25:27 GMT

I have extracted a field that represents how long a process takes. The values looks like 1.0435, 2.242, 234.23435, etc. Using rex, the values are stored as string, so I use convert auto(timetaken). Though it seems to convert it to number, I couldn't get the where clause to work. I searched for where timetake>1, and I got much fewer results than I expected. Please help. Thanks.

Here is my search syntax.

sourcetype="Engine Logs" done save | rex field=_raw ".*in (?<TimeTaken>[0-9\.]+) seconds.*SERVER\.(?<Server>.*)\.Engine" | convert auto(TimeTaken) | stats values(TimeTaken) as TimeTaken by Server | search TimeTaken>1

Re: string to decimal and use where condition

_d_ — Thu, 04 Apr 2013 04:52:25 GMT

It would help if you posted your actual search. Typically, when using rex to extract a field and the regex extract numbers, including decimals, Splunk will take care of typing. So you don't really have to call convert. In any case, where should work in filtering things out.

Try this:

index=_internal sourcetype="splunkd_access" HTTP | head 100 | rex "HTTP/(?<http_version>[^\"]+)" | where http_version>1

and you should only see events with that contain "HTTP/1.1" but no "HTTP/1.0"

Alternatively, you can use search instead of where. Ex. | search timetaken>1

Re: string to decimal and use where condition

lain179 — Thu, 04 Apr 2013 16:32:54 GMT

Oh never mind, I found what went wrong. When a server has multiple values - some less than 1 and some more than 1, that server doesn't return in the result for search TimeTaken>1. I have to do the stats by Sever, _time. And that worked.