Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are fields returning true for both isNum() and isStr() ?

rolaso
Explorer
‎10-17-2014 06:29 AM

Hi,

I want to setup a search to alarm me if a field ever changes its nature. To play around, I chose the year field in one of our indexes. This field appears to be numeric.

field k="date_year" c="20" nc="20" dc="1" exact="1" relevant="0"

All 20 counts are numeric, hence it should be numeric.

I would expect this simple search to have isNum=true and isStr=false for all fields:

index=foo
| eval isStr= if(isstr(date_year),"true","false")
| eval isNum= if(isnum(date_year),"true","false")
| table isNum,isStr, date_year

But this is what I get:

isNum isStr date_year
true true 2014
true true 2014
true true 2014

I have done some research, and I can't find any posts about this behaviour. Can someone explain to me why this is happening?

Many thanks!

R

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ppablo
Retired
‎10-17-2014 12:16 PM

Hi @rolaso

I think the reason isStr is returning "true" is because numeric values are also considered strings. I was just looking through Splunk documentation and found this:

"Numbers, for example, are strings that contain the number. For example, a field containing a value of the number 10 contains the characters 1 and 0: "10""

The date_year field will always be a number, so 2014 could be seen as containing the characters 2, 0, 1, 4: "2014", so it makes sense that | eval isStr= if(isstr(date_year),"true","false") would return "true".

View solution in original post

Reply
Solved! Jump to solution
Solution

ppablo
Retired
‎10-17-2014 12:16 PM

Hi @rolaso

I think the reason isStr is returning "true" is because numeric values are also considered strings. I was just looking through Splunk documentation and found this:

"Numbers, for example, are strings that contain the number. For example, a field containing a value of the number 10 contains the characters 1 and 0: "10""

The date_year field will always be a number, so 2014 could be seen as containing the characters 2, 0, 1, 4: "2014", so it makes sense that | eval isStr= if(isstr(date_year),"true","false") would return "true".

Reply
Solved! Jump to solution

weidertc
Communicator
‎07-27-2020 02:36 PM

Is this a claim that isnum() and isstr() are deprecated?  This was working up until recently.  I've been scratching my head for hours trying to fix my dashboard.

If this is the case then there needs to be a way to find out if a string containing only numbers is indeed only numbers.

0 Karma
Reply
Solved! Jump to solution

rolaso
Explorer
‎10-19-2014 09:21 PM

Thank you for your reply, it makes perfect sense.

0 Karma
Reply
Solved! Jump to solution

Nikobobinus
Engager
‎12-03-2018 02:57 AM

Under which scenarios does isstr return false then other than empty/null?

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-19-2014 09:27 PM

No problem @rolaso glad I could clarify.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...