topic Re: How to use rex in Calculated Fields? in Splunk Search

How to use rex in Calculated Fields?

mmagnuson — Fri, 05 Feb 2016 14:59:05 GMT

Hi,

I'm new to this forum and Splunk in general, so thank you in advance for all your help.
I'm trying to use rex in Calculated fields to extract some text and then further format it.
The rex itself looks like this:

rex field=source(?\d{4}-\d{2})

but when I pass it along to the Eval Expression field, I'm getting the following error message:

Encountered the following error while trying to save: In handler 'props-eval': Invalid operator

The regex works fine in Search.
Any help will be much appreciated.

Re: How to use rex in Calculated Fields?

somesoni2 — Fri, 05 Feb 2016 16:36:28 GMT

The rex itself is a command, not a function that can be used within EVAL in search/ calculated fields. If you can provide some sample values and the formatting you're planning to do, we can suggest alternatives. My first guess will be the replace function which comes with eval.

Re: How to use rex in Calculated Fields?

mmagnuson — Fri, 05 Feb 2016 18:27:06 GMT

Thank you somesoni2. In this case I think I can figure something out using substrings, I read somewhere it's possible to use rex with Calculated Fields, but I guess it's not 😉

Re: How to use rex in Calculated Fields?

Richfez — Fri, 05 Feb 2016 20:26:47 GMT

You can eval the results of extractions performed with rex, but you can't eval them in the rex itself (nor can you rex inside an eval).

Try it in two steps.

rex field=_raw "purple\s+widgets\s+(?<purplewidgets>\d+)\s+orange\s+widgets\s+(?<orangewidgets>\d+)" 
| eval totalwidgets=orangewidgets+purplewidgets

Assuming you have an event like

somedatetime, purple widgets 5 orange widgets 3

What pops out the other end will be, among some other fluff,

orangewidgets   purplewidgets   totalwidgets
3               5               8

If you want to confirm, this is the exact, run-anywhere search you can test with.

| gentimes start="1/1/2016" end="1/2/2016" 
| eval myval="somedatetime, purple widgets 5 orange widgets 3"
| rex field=myval "purple\s+widgets\s+(?<purplewidgets>\d+)\s+orange\s+widgets\s+(?<orangewidgets>\d+)"
| eval totalwidgets=orangewidgets+purplewidgets

Gentimes just creates a single faked up "time" to work with.
I create an "event" to work with with the first eval.
The rex parses the field myval that I just created and extracts the digits for purple and orange widgets
The last eval does some math with them to find a total.

If instead you are trying to do a rex on a field you've created - well, as far as I know that works as long as it's a string and may work regardless. You can see I do that with "myval" above, in fact!

Re: How to use rex in Calculated Fields?

swebb07g — Thu, 01 Apr 2021 18:38:49 GMT

Thank you. I was able to accomplish my goal using replace()