https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17810#M2503 <P>In 4.1.5, the eval command now includes a tonumber() function.</P> <P>For reference: <A href="http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonEvalFunctions" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonEvalFunctions</A></P> Thu, 16 Sep 2010 00:51:54 GMT Ellen 2010-09-16T00:51:54Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17801#M2494 <P>Let's say you have two fields like so:</P> <PRE><CODE>a=0001L b=0002L </CODE></PRE> <P>What's the best way to force the <CODE>eval</CODE> command to see these as numeric fields so that you can add these two values together. It seems like you should be able to simply say something like:</P> <PRE><CODE>... | eval c=rtrim(a,"L") + rtrim(b,"L") </CODE></PRE> <P>However, "c" ends up with the value "00010002" instead of 3 because within the scope of that individual <CODE>eval</CODE> splunk thinks the output of both <CODE>rtrim</CODE> as strings and not as numeric values.</P> <P><EM>To quickly test this yourself, you can run this contrived search command:</EM></P> <PRE><CODE>* | head 1 | a="0001L" | eval b="0002L" | eval c=rtrim(a,"L") + rtrim(b,"L") | fields a b c </CODE></PRE> <P>So the question is this:</P> <BLOCKQUOTE> <P><STRONG>Is there anyway to force <CODE>eval</CODE> to cast the output of an expressions to a numeric value, so that "+" becomes a mathematical operation and not a string concatenation?</STRONG></P> </BLOCKQUOTE> <P></P><HR /><P></P> <P>Yes, I realize that simply breaking this into multiple <CODE>eval</CODE>s solves this problem, like so:</P> <PRE><CODE>... eval _a=rtrim(a,"L") | eval _b=rtrim(b,"L") | eval c= _a+_b </CODE></PRE> <P>However, this does <EM>NOT</EM> work for my use case. I am attempting to write an eval-based macro expression which must be a single <CODE>eval</CODE>, not a series of evals. Therefore, all the work has to be done in a single <CODE>eval</CODE>.</P> <P>I guess I'm looking for counterpart of <CODE>tostring</CODE>. Is there some an undocumented "tonumber()" or similar function?</P> Wed, 21 Jul 2010 06:30:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17801#M2494 Lowell 2010-07-21T06:30:37Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17802#M2495 <P>Is there any way you can smuggle a convert num(a) in front of this for your macro?</P> Wed, 21 Jul 2010 21:40:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17802#M2495 ftk 2010-07-21T21:40:31Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17803#M2496 <P>Nope. It has to be within a single eval expression. Since my macro is eval-based, I can't even do any kind of nested macro tricks.</P> Wed, 21 Jul 2010 22:39:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17803#M2496 Lowell 2010-07-21T22:39:51Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17804#M2497 <P>If the values really are all single digits with 0s prepended, I have (a very ugly) solution for you. The one function that maps string to num, is <CODE>len</CODE>. Ready? First, strip the <CODE>0</CODE>s. Then, replace <CODE>1</CODE> with a single <CODE>x</CODE>, <CODE>2</CODE> with <CODE>xx</CODE>, and so forth. And finally, we can invoke <CODE>len</CODE> on the resulting string (<CODE>xx</CODE> maps to <CODE>2</CODE><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P><CODE>* | head 1 | eval a="0001L" | eval b="0002L" | eval c=len(replace(replace(replace(rtrim(a,"L"), "0", ""), "1", "x"), "2", "xx")) + len(replace(replace(replace(rtrim(b,"L"), "0", ""), "1", "y"), "2", "yy")) | table a b c</CODE></P> <P>gives</P> <PRE><CODE> a b c ----- ----- - 0001L 0002L 3 </CODE></PRE> Thu, 22 Jul 2010 13:36:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17804#M2497 V_at_Splunk 2010-07-22T13:36:02Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17805#M2498 <P>Yeah, it looks like a tonumber() function is a badly needed addition to the language. I'm going to file a bug report right now.</P> <P>The one (gross) workaround that I can think of is to abuse the strptime() time parser. This would only work on non-negative integers, but it might be enough for your immediate issue:</P> <PRE><CODE>$ splunk search '* | head 1 | eval a="0001L" | eval b="0002L" | eval c=strptime(rtrim(a,"L"),"%s") + strptime(rtrim(b,"L"),"%s") | table a b c' a b c ----- ----- -------- 0001L 0002L 3.000000 </CODE></PRE> Thu, 22 Jul 2010 14:19:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17805#M2498 mitch 2010-07-22T14:19:57Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17806#M2499 <P>I agree -- badly needed.</P> Thu, 22 Jul 2010 19:41:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17806#M2499 ftk 2010-07-22T19:41:48Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17807#M2500 <P>Wow. That's hilarious. But no, in my particular use case I'm looking at a time field. So mapping 0-23 and 0-59 within a single eval using this approach would be quite ugly. (I'd have to write a script just to generate my eval command.) Then I'd probably run into some eval expression character limit... I found a 4.1-based workaround using regex-based <CODE>replace()</CODE> and <CODE>relative_time()</CODE>, which you can see here (if your interested): <A href="http://answers.splunk.com/questions/4528/finding-your-local-timezone-with-eval">http://answers.splunk.com/questions/4528/finding-your-local-timezone-with-eval</A></P> Thu, 22 Jul 2010 22:31:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17807#M2500 Lowell 2010-07-22T22:31:32Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17808#M2501 <P>Thanks for filing a request. I found a workaround for my specific needs using <CODE>relative_time()</CODE>. But there are certainly other cases where such a solution wouldn't work, so a <CODE>tonumber()</CODE>, or whatever it ends up being called would be greatly appreciated.</P> Thu, 22 Jul 2010 22:36:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17808#M2501 Lowell 2010-07-22T22:36:06Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17809#M2502 <P>+1. Just for the craziness of this solution. (I do wonder how far this would stretch. Is the eval handled in a stack-based way, would you eventual end up with a stack overflow?...)</P> Thu, 22 Jul 2010 22:38:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17809#M2502 Lowell 2010-07-22T22:38:09Z https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17810#M2503 <P>In 4.1.5, the eval command now includes a tonumber() function.</P> <P>For reference: <A href="http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonEvalFunctions" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonEvalFunctions</A></P> Thu, 16 Sep 2010 00:51:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-force-quot-eval-quot-to-cast-an-expression-as-numeric/m-p/17810#M2503 Ellen 2010-09-16T00:51:54Z