Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are fields returning true for both isNum() and isStr() ?

rolaso
Explorer
‎10-17-2014 06:29 AM

Hi,

I want to setup a search to alarm me if a field ever changes its nature. To play around, I chose the year field in one of our indexes. This field appears to be numeric.

field k="date_year" c="20" nc="20" dc="1" exact="1" relevant="0"

All 20 counts are numeric, hence it should be numeric.

I would expect this simple search to have isNum=true and isStr=false for all fields:

index=foo
| eval isStr= if(isstr(date_year),"true","false")
| eval isNum= if(isnum(date_year),"true","false")
| table isNum,isStr, date_year

But this is what I get:

isNum isStr date_year
true true 2014
true true 2014
true true 2014

I have done some research, and I can't find any posts about this behaviour. Can someone explain to me why this is happening?

Many thanks!

R

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ppablo
Retired
‎10-17-2014 12:16 PM

Hi @rolaso

I think the reason isStr is returning "true" is because numeric values are also considered strings. I was just looking through Splunk documentation and found this:

"Numbers, for example, are strings that contain the number. For example, a field containing a value of the number 10 contains the characters 1 and 0: "10""

The date_year field will always be a number, so 2014 could be seen as containing the characters 2, 0, 1, 4: "2014", so it makes sense that | eval isStr= if(isstr(date_year),"true","false") would return "true".

View solution in original post

Reply
Solved! Jump to solution
Solution

ppablo
Retired
‎10-17-2014 12:16 PM

Hi @rolaso

I think the reason isStr is returning "true" is because numeric values are also considered strings. I was just looking through Splunk documentation and found this:

"Numbers, for example, are strings that contain the number. For example, a field containing a value of the number 10 contains the characters 1 and 0: "10""

The date_year field will always be a number, so 2014 could be seen as containing the characters 2, 0, 1, 4: "2014", so it makes sense that | eval isStr= if(isstr(date_year),"true","false") would return "true".

Reply
Solved! Jump to solution

weidertc
Contributor
‎07-27-2020 02:36 PM

Is this a claim that isnum() and isstr() are deprecated?  This was working up until recently.  I've been scratching my head for hours trying to fix my dashboard.

If this is the case then there needs to be a way to find out if a string containing only numbers is indeed only numbers.

0 Karma
Reply
Solved! Jump to solution

rolaso
Explorer
‎10-19-2014 09:21 PM

Thank you for your reply, it makes perfect sense.

0 Karma
Reply
Solved! Jump to solution

Nikobobinus
Explorer
‎12-03-2018 02:57 AM

Under which scenarios does isstr return false then other than empty/null?

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎10-19-2014 09:27 PM

No problem @rolaso glad I could clarify.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...