I've a field called "NUMBER" which has values as shown below:
NUMBER
0000123
001200
0000004567
00008780
I need it to be converted as below:
NUM
1.23
12.00
45.67
87.80
To do so I can use following splunk query:
| eval NUM=ltrim(tostring(NUMBER),"0") | eval NUM=(NUM/100) | eval NUM=round(NUM,2) |
However I want it be a "calculated field" so that I can run queries direclty using a "NUM" field. But "Calculated Field" is throwing an error "Invalid Operator". Can someone please suggest how can I use it?
Hi
Give a try like this in props.conf
[source::test.csv]
EVAL-NUM = round(tonumber(NUMBER)/100,2)
Are you putting all three EVAL statements in single calculated fields entry??
Also, try this for expression while saving the calculated field
replace(NUMBER,"^(0*)(\d*)(\d{2})","\2.\3")
Yes I was trying to add three eval statements in a single calculated fields entry. Guess that's not allowed. If I put them in three different calculated fields then it takes too long for the search query.
The expression you provided helps but appears searching on calculated fields takes more time than normal. Is there a better way of doing it?
Handle it inline in search, may be create a macro for it and call the macro in your search.
OK thanks. I'll try.