Splunk Search

Why am I unable to convert a string to numeric?

sjafferali
Explorer

I am trying to convert a string to numeric but it is not getting converted.

index="dnr_ecc" jobname="*IC*HV_TREX" | eval runtime = tonumber(total_run_time) |
table jobname total_run_time runtime

Runtime field is displaying as blank. I need this to covert to numeric so I can use the sum functional to sum the runtime.

Any help is much appreciated.

0 Karma
1 Solution

niketn
Legend

@sjafferali, can there be spaces before or after numeric total_run_time which may treat it as string? Can you try the following?

 index="dnr_ecc" jobname="*IC*HV_TREX" 
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
| table jobname total_run_time runtime

PS: tostring(<yourFieldName>,"duration") converts seconds to days+ HH:MM:SS. If your need just numeric replace() eval should do. Following is the run-anywhere example with spaces around data:

| makeresults
| eval total_run_time=" 1540 ; 1751 ; 1780 ; 1832 "
| makemv total_run_time delim=";"
| mvexpand total_run_time
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

TISKAR
Builder

@sjafferali, you can use trim command to remove space, try this:

 index="dnr_ecc" jobname="*IC*HV_TREX"  | eval runtime = tonumber(trim(total_run_time," ")) |
 table jobname total_run_time runtime
0 Karma

niketn
Legend

@sjafferali, can there be spaces before or after numeric total_run_time which may treat it as string? Can you try the following?

 index="dnr_ecc" jobname="*IC*HV_TREX" 
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
| table jobname total_run_time runtime

PS: tostring(<yourFieldName>,"duration") converts seconds to days+ HH:MM:SS. If your need just numeric replace() eval should do. Following is the run-anywhere example with spaces around data:

| makeresults
| eval total_run_time=" 1540 ; 1751 ; 1780 ; 1832 "
| makemv total_run_time delim=";"
| mvexpand total_run_time
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sjafferali
Explorer

Thanks Everyone for your response and Thanks Niketnilay.

The command below worked. Looks like there were blank spaces after the numbers. I was able to chart the total runtime by day which provides a trend analysis.

eval total_run_time=replace(total_run_time,"\s+","")

woodcock
Esteemed Legend

The problem is usually whitespace so try this:

index="dnr_ecc" jobname="*IC*HV_TREX"
| eval runtime = tonumber(replace(total_run_time, "[\r\n\s]+", ""))
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index="dnr_ecc" jobname="*IC*HV_TREX" |convert dur2sec(total_run_time) as runtime |
 table jobname total_run_time runtime
0 Karma

sjafferali
Explorer

during dur2sec is still not working.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does total_run_time has value 3400 seconds (number with string unit in it) OR just 3400?

0 Karma

sjafferali
Explorer

It has just 3400

0 Karma

sjafferali
Explorer

Hi Somesoni2 - Thank you for your multiple immediate responses. I really appreciate your help.

The command below worked for my scenario.

eval total_run_time=replace(total_run_time,"\s+","")

0 Karma

sjafferali
Explorer

total run time looks like in numberic format. it is in seconds like if 3400 seconds is the runtime, total_run_time will have "3400", if 15000 then "15000"

0 Karma

elliotproebstel
Champion

Does the field contain something besides just a number? What do you get from this:

index="dnr_ecc" jobname="*IC*HV_TREX" total_run_time=*
| head 5
| stats values(total_run_time)

Can you copy and paste the results here?

0 Karma

sjafferali
Explorer

I ran the query you gave
index="dnr_ecc" jobname="IC*HV_TREX" total_run_time= | head 5 | stats values(total_run_time)
Result is as below. There is no text in the field.

values(total_run_time)
1540
1751
1780
1832

0 Karma

elliotproebstel
Champion

If total_run_time looks like "3400 seconds", then you could use a rex command to extract the first series of numbers it encounters in the field:

| rex mode=sed field=total_run_time "s/^(\d+)([^\d].*)/\1/"

So that would turn 3400 seconds into 3400.

0 Karma

sjafferali
Explorer

I tried the below after using the convert command, but the result comes as "False"

index="dnr_ecc" jobname="*IC*HV_TREX" | convert num(total_run_time) as runtime |
eval result=if(isNum(runtime),"True","False") |
table result

0 Karma

elliotproebstel
Champion

Can you give some sample values for the total_run_time field that you're trying to convert?

sjafferali
Explorer

I ran the query you gave
index="dnr_ecc" jobname="IC*HV_TREX" total_run_time= | head 5 | stats values(total_run_time)
Result is as below. There is no text in the field.

values(total_run_time)
1540
1751
1780
1832

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...