Re: How to force rex to extract a field with numer...

alange · ‎08-21-2013

(Splunk 4.3.2, in case it makes a difference)

I'm using rex to extract a sequence of digits, and I'd like Splunk to treat it as a numeric field, rather than categorical - so the automatic summary data in the field list will give min, max, mean and stdev.

 | rex field=_raw "Time=(?P<mytime>\d+)ms"

but field mytime shows up as (categorical) with no useful statistics.

Is there any way to make Splunk recognize this is actually a numeric field?

lukejadamec · ‎08-21-2013

Try to pipe the results of your rex to a convert like this.

| rex field=_raw "Time=(?P<mytime>\d+)ms" | convert num(mytime)

If you're looking for different types of numerics, then review this doc:

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Convert

lukejadamec · ‎08-21-2013

If convert does not work, then the documentation says that eval should.
... | eval mytime=tonumber(mystring)

lukejadamec · ‎08-21-2013

Sorry, I must have mis-understood the documentation:
"Synopsis
Converts field values into numerical values."

Did you try auto instead of num?

alange · ‎08-21-2013

Just tested - the above command does NOT convert the field from categorical to numeric. Looking at the documentation, it seems designed to convert other representations (for example, hh:mm:ss) into integers for easier comparison

How to force rex to extract a field with numeric type

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation