Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to force rex to extract a field with numeric type

alange
Explorer
‎08-21-2013 03:51 PM

(Splunk 4.3.2, in case it makes a difference)

I'm using rex to extract a sequence of digits, and I'd like Splunk to treat it as a numeric field, rather than categorical - so the automatic summary data in the field list will give min, max, mean and stdev.

 | rex field=_raw "Time=(?P<mytime>\d+)ms"

but field mytime shows up as (categorical) with no useful statistics.

Is there any way to make Splunk recognize this is actually a numeric field?

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎08-21-2013 04:45 PM

Try to pipe the results of your rex to a convert like this. 

| rex field=_raw "Time=(?P<mytime>\d+)ms" | convert num(mytime)

If you're looking for different types of numerics, then review this doc:

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Convert

0 Karma
Reply

lukejadamec
Super Champion
‎08-21-2013 05:28 PM

If convert does not work, then the documentation says that eval should.
... | eval mytime=tonumber(mystring)

0 Karma
Reply

lukejadamec
Super Champion
‎08-21-2013 05:13 PM

Sorry, I must have mis-understood the documentation:
"Synopsis
Converts field values into numerical values."

Did you try auto instead of num?

0 Karma
Reply

alange
Explorer
‎08-21-2013 05:05 PM

Just tested - the above command does NOT convert the field from categorical to numeric. Looking at the documentation, it seems designed to convert other representations (for example, hh:mm:ss) into integers for easier comparison

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...