Splunk Search

Why am I unable to convert a string to numeric?

sjafferali
Explorer

I am trying to convert a string to numeric but it is not getting converted.

index="dnr_ecc" jobname="*IC*HV_TREX" | eval runtime = tonumber(total_run_time) |
table jobname total_run_time runtime

Runtime field is displaying as blank. I need this to covert to numeric so I can use the sum functional to sum the runtime.

Any help is much appreciated.

0 Karma
1 Solution

niketn
Legend

@sjafferali, can there be spaces before or after numeric total_run_time which may treat it as string? Can you try the following?

 index="dnr_ecc" jobname="*IC*HV_TREX" 
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
| table jobname total_run_time runtime

PS: tostring(<yourFieldName>,"duration") converts seconds to days+ HH:MM:SS. If your need just numeric replace() eval should do. Following is the run-anywhere example with spaces around data:

| makeresults
| eval total_run_time=" 1540 ; 1751 ; 1780 ; 1832 "
| makemv total_run_time delim=";"
| mvexpand total_run_time
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

TISKAR
Builder

@sjafferali, you can use trim command to remove space, try this:

 index="dnr_ecc" jobname="*IC*HV_TREX"  | eval runtime = tonumber(trim(total_run_time," ")) |
 table jobname total_run_time runtime
0 Karma

niketn
Legend

@sjafferali, can there be spaces before or after numeric total_run_time which may treat it as string? Can you try the following?

 index="dnr_ecc" jobname="*IC*HV_TREX" 
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
| table jobname total_run_time runtime

PS: tostring(<yourFieldName>,"duration") converts seconds to days+ HH:MM:SS. If your need just numeric replace() eval should do. Following is the run-anywhere example with spaces around data:

| makeresults
| eval total_run_time=" 1540 ; 1751 ; 1780 ; 1832 "
| makemv total_run_time delim=";"
| mvexpand total_run_time
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sjafferali
Explorer

Thanks Everyone for your response and Thanks Niketnilay.

The command below worked. Looks like there were blank spaces after the numbers. I was able to chart the total runtime by day which provides a trend analysis.

eval total_run_time=replace(total_run_time,"\s+","")

woodcock
Esteemed Legend

The problem is usually whitespace so try this:

index="dnr_ecc" jobname="*IC*HV_TREX"
| eval runtime = tonumber(replace(total_run_time, "[\r\n\s]+", ""))
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index="dnr_ecc" jobname="*IC*HV_TREX" |convert dur2sec(total_run_time) as runtime |
 table jobname total_run_time runtime
0 Karma

sjafferali
Explorer

during dur2sec is still not working.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does total_run_time has value 3400 seconds (number with string unit in it) OR just 3400?

0 Karma

sjafferali
Explorer

It has just 3400

0 Karma

sjafferali
Explorer

Hi Somesoni2 - Thank you for your multiple immediate responses. I really appreciate your help.

The command below worked for my scenario.

eval total_run_time=replace(total_run_time,"\s+","")

0 Karma

sjafferali
Explorer

total run time looks like in numberic format. it is in seconds like if 3400 seconds is the runtime, total_run_time will have "3400", if 15000 then "15000"

0 Karma

elliotproebstel
Champion

Does the field contain something besides just a number? What do you get from this:

index="dnr_ecc" jobname="*IC*HV_TREX" total_run_time=*
| head 5
| stats values(total_run_time)

Can you copy and paste the results here?

0 Karma

sjafferali
Explorer

I ran the query you gave
index="dnr_ecc" jobname="IC*HV_TREX" total_run_time= | head 5 | stats values(total_run_time)
Result is as below. There is no text in the field.

values(total_run_time)
1540
1751
1780
1832

0 Karma

elliotproebstel
Champion

If total_run_time looks like "3400 seconds", then you could use a rex command to extract the first series of numbers it encounters in the field:

| rex mode=sed field=total_run_time "s/^(\d+)([^\d].*)/\1/"

So that would turn 3400 seconds into 3400.

0 Karma

sjafferali
Explorer

I tried the below after using the convert command, but the result comes as "False"

index="dnr_ecc" jobname="*IC*HV_TREX" | convert num(total_run_time) as runtime |
eval result=if(isNum(runtime),"True","False") |
table result

0 Karma

elliotproebstel
Champion

Can you give some sample values for the total_run_time field that you're trying to convert?

sjafferali
Explorer

I ran the query you gave
index="dnr_ecc" jobname="IC*HV_TREX" total_run_time= | head 5 | stats values(total_run_time)
Result is as below. There is no text in the field.

values(total_run_time)
1540
1751
1780
1832

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...