Re: How to force rex to extract a field with numer...

alange · ‎08-21-2013

(Splunk 4.3.2, in case it makes a difference)

I'm using rex to extract a sequence of digits, and I'd like Splunk to treat it as a numeric field, rather than categorical - so the automatic summary data in the field list will give min, max, mean and stdev.

 | rex field=_raw "Time=(?P<mytime>\d+)ms"

but field mytime shows up as (categorical) with no useful statistics.

Is there any way to make Splunk recognize this is actually a numeric field?

lukejadamec · ‎08-21-2013

Try to pipe the results of your rex to a convert like this.

| rex field=_raw "Time=(?P<mytime>\d+)ms" | convert num(mytime)

If you're looking for different types of numerics, then review this doc:

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Convert

lukejadamec · ‎08-21-2013

If convert does not work, then the documentation says that eval should.
... | eval mytime=tonumber(mystring)

lukejadamec · ‎08-21-2013

Sorry, I must have mis-understood the documentation:
"Synopsis
Converts field values into numerical values."

Did you try auto instead of num?

alange · ‎08-21-2013

Just tested - the above command does NOT convert the field from categorical to numeric. Looking at the documentation, it seems designed to convert other representations (for example, hh:mm:ss) into integers for easier comparison

How to force rex to extract a field with numeric type

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to force rex to extract a field with numeric type

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES