Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to force rex to extract a field with numeric type

alange
Explorer
‎08-21-2013 03:51 PM

(Splunk 4.3.2, in case it makes a difference)

I'm using rex to extract a sequence of digits, and I'd like Splunk to treat it as a numeric field, rather than categorical - so the automatic summary data in the field list will give min, max, mean and stdev.

 | rex field=_raw "Time=(?P<mytime>\d+)ms"

but field mytime shows up as (categorical) with no useful statistics.

Is there any way to make Splunk recognize this is actually a numeric field?

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎08-21-2013 04:45 PM

Try to pipe the results of your rex to a convert like this. 

| rex field=_raw "Time=(?P<mytime>\d+)ms" | convert num(mytime)

If you're looking for different types of numerics, then review this doc:

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Convert

0 Karma
Reply

lukejadamec
Super Champion
‎08-21-2013 05:28 PM

If convert does not work, then the documentation says that eval should.
... | eval mytime=tonumber(mystring)

0 Karma
Reply

lukejadamec
Super Champion
‎08-21-2013 05:13 PM

Sorry, I must have mis-understood the documentation:
"Synopsis
Converts field values into numerical values."

Did you try auto instead of num?

0 Karma
Reply

alange
Explorer
‎08-21-2013 05:05 PM

Just tested - the above command does NOT convert the field from categorical to numeric. Looking at the documentation, it seems designed to convert other representations (for example, hh:mm:ss) into integers for easier comparison

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...