Splunk Search

Why are we unable to evaluate a field obtained from rex?

nilbak1
Communicator

Using below query:

 index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | stats count by classification

Result I am getting is:

classification  count
ORDER   2
Order   120
order   83

Now i want to make this order value as 1 field value like

Order 205

And I trying to do this by converting classification field from string into numeric and then using eval function, but here tonumber function is not working. And I am not able to achieve the required result.

Any help is appreciated.

0 Karma
1 Solution

nilbak1
Communicator

Its working now
I have used below query. Thanks all for the help 🙂

    source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
    | rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification

View solution in original post

0 Karma

nilbak1
Communicator

Its working now
I have used below query. Thanks all for the help 🙂

    source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
    | rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification
0 Karma

sayaksplunk
Explorer

If your goal is to achieve the output as the sum of the count field irrespective of the case of the contents in the classification field i.e. "Order 205" as per your question then you can try an approach even without rex. Below is the code for the same. This will help you generalize the case of the contents of "Classification" field.

index="incident" sourcetype="csv"
|eval Classification=lower(Classification)
|stats sum(Count) as Count by Classification
0 Karma

nilbak1
Communicator

Without rex it will not work here as I need to extract field different fields here from events then do their count.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use the coalesce function to combine several fields into a single field.

index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) | stats count by classification
---
If this reply helps you, Karma would be appreciated.
0 Karma

nilbak1
Communicator

I am getting no results found under statistics tab. Used below query.

 source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv" | rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) |  stats count by classification
0 Karma

sayaksplunk
Explorer

I have just modified your query, try if it works:

source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
| rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce("ORDER", "Order", "order") | stats count by classification

0 Karma

nilbak1
Communicator

yes i have used below in my query. I am getting the same result.
| rex max_match=0 field=_raw

Sample Event I can't provide here.
its just , not able to convert string to numeric, I have tried all options.
Not sure, why eval function is not working after rex command

0 Karma

jodyfsu
Path Finder

I think, in your rex statement you may need to identify the field.

| rex field=max_match

But, I may be misunderstanding what you have.

If you can provide a sample event I may be able to help more.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...