How to get values from a Splunk field to particula...

Poojitha · ‎07-13-2022

Hi Team,

I have a field like below :

Cost :
0.4565534553453
0.0000435463466
0.0021345667788
0.0000000005657

I want to get values from this cost field which has value till 4 decimals i.e only 0.4565534553453 and 0.0021345667788.

How can I achieve this in my splunk query. Please can anyone help me .

Regards,
NVP

harishalipaka · ‎07-14-2022

@Poojitha

| makeresults| eval Cost="0.4565534553453" | table Cost
| append [ | makeresults| eval Cost="0.0000435463466" | table Cost]
| append [| makeresults| eval Cost="0.0021345667788" | table Cost ]
| append [ | makeresults| eval Cost="0.0000000005657" | table Cost ]
 | rex field=Cost "(?<Cost_New>\d+\.\d{4})" |where Cost_New > 0 |table Cost

Thanks
Harish

PickleRick · ‎07-13-2022

Your example is inconsistent with your description.

Rounding a value to 4 decimal digits is one thing but your description suggests that you simply want to filter out values that not smaller than 0.0001

JacekF · ‎07-13-2022

Try something like that:
| eval cost_rounded = round(Cost, 4)
| where cost_rounded > 0

ITWhisperer · ‎07-13-2022

| rex field=Cost "(?<truncated_cost>\d+\.\d{4})"

How to get values from a Splunk field to particular decimals?

field extraction

fields

table

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?