Solved: Re: Why am I unable to convert a string to numeric...

sjafferali · ‎04-20-2018

I am trying to convert a string to numeric but it is not getting converted.

index="dnr_ecc" jobname="*IC*HV_TREX" | eval runtime = tonumber(total_run_time) |
table jobname total_run_time runtime

Runtime field is displaying as blank. I need this to covert to numeric so I can use the sum functional to sum the runtime.

Any help is much appreciated.

niketn · ‎04-21-2018

@sjafferali, can there be spaces before or after numeric total_run_time which may treat it as string? Can you try the following?

 index="dnr_ecc" jobname="*IC*HV_TREX" 
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
| table jobname total_run_time runtime

PS: tostring(<yourFieldName>,"duration") converts seconds to days+ HH:MM:SS. If your need just numeric replace() eval should do. Following is the run-anywhere example with spaces around data:

| makeresults
| eval total_run_time=" 1540 ; 1751 ; 1780 ; 1832 "
| makemv total_run_time delim=";"
| mvexpand total_run_time
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

TISKAR · ‎04-21-2018

@sjafferali, you can use trim command to remove space, try this:

 index="dnr_ecc" jobname="*IC*HV_TREX"  | eval runtime = tonumber(trim(total_run_time," ")) |
 table jobname total_run_time runtime

niketn · ‎04-21-2018

@sjafferali, can there be spaces before or after numeric total_run_time which may treat it as string? Can you try the following?

 index="dnr_ecc" jobname="*IC*HV_TREX" 
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")
| table jobname total_run_time runtime

PS: tostring(<yourFieldName>,"duration") converts seconds to days+ HH:MM:SS. If your need just numeric replace() eval should do. Following is the run-anywhere example with spaces around data:

| makeresults
| eval total_run_time=" 1540 ; 1751 ; 1780 ; 1832 "
| makemv total_run_time delim=";"
| mvexpand total_run_time
| eval total_run_time=replace(total_run_time,"\s+","")
| eval runtime = tostring(total_run_time,"duration")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sjafferali · ‎04-23-2018

Thanks Everyone for your response and Thanks Niketnilay.

The command below worked. Looks like there were blank spaces after the numbers. I was able to chart the total runtime by day which provides a trend analysis.

eval total_run_time=replace(total_run_time,"\s+","")

woodcock · ‎04-20-2018

The problem is usually whitespace so try this:

index="dnr_ecc" jobname="*IC*HV_TREX"
| eval runtime = tonumber(replace(total_run_time, "[\r\n\s]+", ""))

somesoni2 · ‎04-20-2018

Try this

index="dnr_ecc" jobname="*IC*HV_TREX" |convert dur2sec(total_run_time) as runtime |
 table jobname total_run_time runtime

sjafferali · ‎04-20-2018

during dur2sec is still not working.

somesoni2 · ‎04-20-2018

Does total_run_time has value 3400 seconds (number with string unit in it) OR just 3400?

sjafferali · ‎04-20-2018

It has just 3400

sjafferali · ‎04-23-2018

Hi Somesoni2 - Thank you for your multiple immediate responses. I really appreciate your help.

The command below worked for my scenario.

eval total_run_time=replace(total_run_time,"\s+","")

sjafferali · ‎04-20-2018

total run time looks like in numberic format. it is in seconds like if 3400 seconds is the runtime, total_run_time will have "3400", if 15000 then "15000"

elliotproebstel · ‎04-20-2018

Does the field contain something besides just a number? What do you get from this:

index="dnr_ecc" jobname="*IC*HV_TREX" total_run_time=*
| head 5
| stats values(total_run_time)

Can you copy and paste the results here?

sjafferali · ‎04-20-2018

I ran the query you gave
index="dnr_ecc" jobname="IC*HV_TREX" total_run_time= | head 5 | stats values(total_run_time)
Result is as below. There is no text in the field.

values(total_run_time)
1540
1751
1780
1832

elliotproebstel · ‎04-20-2018

If total_run_time looks like "3400 seconds", then you could use a rex command to extract the first series of numbers it encounters in the field:

| rex mode=sed field=total_run_time "s/^(\d+)([^\d].*)/\1/"

So that would turn 3400 seconds into 3400.

sjafferali · ‎04-20-2018

I tried the below after using the convert command, but the result comes as "False"

index="dnr_ecc" jobname="*IC*HV_TREX" | convert num(total_run_time) as runtime |
eval result=if(isNum(runtime),"True","False") |
table result

elliotproebstel · ‎04-20-2018

Can you give some sample values for the total_run_time field that you're trying to convert?

sjafferali · ‎04-20-2018

I ran the query you gave
index="dnr_ecc" jobname="IC*HV_TREX" total_run_time= | head 5 | stats values(total_run_time)
Result is as below. There is no text in the field.

values(total_run_time)
1540
1751
1780
1832

Why am I unable to convert a string to numeric?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation