Splunk Search
Highlighted

Why are we unable to evaluate a field obtained from rex?

Communicator

Using below query:

 index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | stats count by classification

Result I am getting is:

classification  count
ORDER   2
Order   120
order   83

Now i want to make this order value as 1 field value like

Order 205

And I trying to do this by converting classification field from string into numeric and then using eval function, but here tonumber function is not working. And I am not able to achieve the required result.

Any help is appreciated.

0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

Path Finder

I think, in your rex statement you may need to identify the field.

| rex field=max_match

But, I may be misunderstanding what you have.

If you can provide a sample event I may be able to help more.

0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

Communicator

yes i have used below in my query. I am getting the same result.
| rex maxmatch=0 field=raw

Sample Event I can't provide here.
its just , not able to convert string to numeric, I have tried all options.
Not sure, why eval function is not working after rex command

0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

SplunkTrust
SplunkTrust

Use the coalesce function to combine several fields into a single field.

index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) | stats count by classification
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

Communicator

I am getting no results found under statistics tab. Used below query.

 source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv" | rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) |  stats count by classification
0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

Explorer

I have just modified your query, try if it works:

source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
| rex maxmatch=0 field=raw "(?(?i)(order))" | eval classification=coalesce("ORDER", "Order", "order") | stats count by classification

0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

Explorer

If your goal is to achieve the output as the sum of the count field irrespective of the case of the contents in the classification field i.e. "Order 205" as per your question then you can try an approach even without rex. Below is the code for the same. This will help you generalize the case of the contents of "Classification" field.

index="incident" sourcetype="csv"
|eval Classification=lower(Classification)
|stats sum(Count) as Count by Classification
0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

Communicator

Without rex it will not work here as I need to extract field different fields here from events then do their count.

0 Karma
Highlighted

Re: Why are we unable to evaluate a field obtained from rex?

Communicator

Its working now
I have used below query. Thanks all for the help 🙂

    source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
    | rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.