Solved: Why are we unable to evaluate a field obtained fro...

nilbak1 · ‎05-28-2019

Using below query:

 index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | stats count by classification

Result I am getting is:

classification  count
ORDER   2
Order   120
order   83

Now i want to make this order value as 1 field value like

Order 205

And I trying to do this by converting classification field from string into numeric and then using eval function, but here tonumber function is not working. And I am not able to achieve the required result.

Any help is appreciated.

nilbak1 · ‎05-28-2019

Its working now
I have used below query. Thanks all for the help 🙂

    source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
    | rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification

View solution in original post

nilbak1 · ‎05-28-2019

Its working now
I have used below query. Thanks all for the help 🙂

    source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
    | rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification

sayaksplunk · ‎05-28-2019

If your goal is to achieve the output as the sum of the count field irrespective of the case of the contents in the classification field i.e. "Order 205" as per your question then you can try an approach even without rex. Below is the code for the same. This will help you generalize the case of the contents of "Classification" field.

index="incident" sourcetype="csv"
|eval Classification=lower(Classification)
|stats sum(Count) as Count by Classification

nilbak1 · ‎05-28-2019

Without rex it will not work here as I need to extract field different fields here from events then do their count.

richgalloway · ‎05-28-2019

Use the coalesce function to combine several fields into a single field.

index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) | stats count by classification

---
If this reply helps you, Karma would be appreciated.

nilbak1 · ‎05-28-2019

I am getting no results found under statistics tab. Used below query.

 source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv" | rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) |  stats count by classification

sayaksplunk · ‎05-28-2019

I have just modified your query, try if it works:

source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
| rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce("ORDER", "Order", "order") | stats count by classification

nilbak1 · ‎05-28-2019

yes i have used below in my query. I am getting the same result.
| rex max_match=0 field=_raw

Sample Event I can't provide here.
its just , not able to convert string to numeric, I have tried all options.
Not sure, why eval function is not working after rex command

jodyfsu · ‎05-28-2019

I think, in your rex statement you may need to identify the field.

| rex field=max_match

But, I may be misunderstanding what you have.

If you can provide a sample event I may be able to help more.

Why are we unable to evaluate a field obtained from rex?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM