Splunk Search

Cannot eval a field obtained from rex

zuberpalekar
Engager

Sample data that I am querying on

2012/04/16 10:36:10.290 2012/04/16 10:35:16.333 2980023 811863 jac-datafileupload_0416053513 324 stg_genentech_0017ace 128 32 2012/04/16 10:35:16.333 2012/04/16 10:35:15.793 2012/04/16 10:35:16.767 2012/04/16 10:36:10.273 53506 0 false zsservices\\sd_stg_shared_0017 zsservices\\sd_stg_shared_0017 433 sa-sdhpccmp02 log4net:error xmlconfigurator: failed to find configuration section 'log4net' in the application's .config file. check your .config file for the <log4net> and <configsections> elements. the configuration section should look like: <section name=\"log4net\" type=\"log4net.config.log4netconfigurationsectionhandler,log4net\" />
time to extract package: 4.4772574s
processing file dtbterr.txt.
time taken for preliminary validations: 0.0468006s
time taken to create temp table: 0.1404018s
time taken to update records: 0.0156002s
time taken to insert records: 0.0312004s
time taken to delete records: 0.0312004s
done dtbterr.txt.

My splunk query is something like this

search blah blah blah | rex field=_raw "time to extract package:(?<MYTIME>.*)s.*" | eval XYZ = MYTIME * 100 | fields MYTIME, XYZ

I am getting the correct values for MYTIME. However, when I eval MYTIME * 100, no value is returned. I tried using tonumber(), tostring() etc in vain.
Any help is appreciated.

Tags (3)
0 Karma
1 Solution

ziegfried
Influencer

The problems is probably the whitespace, you're extracting into the field as well:

time to extract package: 4.4772574s
                        ^

Using such a regex should work:

... | rex field=_raw "time to extract package:\s*(?<MYTIME>[\d\.]+)s" | ...

View solution in original post

ziegfried
Influencer

The problems is probably the whitespace, you're extracting into the field as well:

time to extract package: 4.4772574s
                        ^

Using such a regex should work:

... | rex field=_raw "time to extract package:\s*(?<MYTIME>[\d\.]+)s" | ...
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...