Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

cannot eval a field obtained from rex and i am pretty sure the field is only digits

kingsizebk
Path Finder
‎12-14-2012 07:34 AM

I cannot seem to "eval" a field obtained from a "rex" and i am pretty sure the field is only digits... this is similiar to http://splunk-base.splunk.com/answers/45605/cannot-eval-a-field-obtained-from-rex, which i already reviewed

here is the search: "Latency:" | rex "Latency:\s*(?P<fsprhr>\d+)" | eval fsprhr=1

here is an example of the data returned by the search, regardless of whether the search is "Latency:" or "Latency:" | rex "Latency:\s*(?P<fsprhr>\d+)" or "Latency:" | rex "Latency:\s*(?P<fsprhr>\d+)" | eval fsprhr=1:

<?xml version='1.0' encoding='utf-8'?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><log-entry serial='201360' domain='SANDBOX'><date>20121214</date><time utc='1355497924621'>151204</time><date-time>2012-12-14T10:12:04</date-time><type>latency</type><class>xmlfirewall</class><object>xmiStats</object><level num='6'>info</level><transaction-type></transaction-type><transaction>9607650</transaction><client>10.70.50.223</client><code>0x80e00073</code><file></file><message>Latency: 0 0 0 0 519 493 1 519 0 0 0 519 0 0 0 0 [http://emsadp07mgt:2066/xmiStats]</message></log-entry></SOAP-ENV:Body></SOAP-ENV:Envelope>

the data above is in XML format and is not displaying properly and i do not enough karma to upload a screenshot...

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

itinney
Path Finder
‎12-14-2012 04:12 PM

I'm not sure what you are trying to do here. What do you mean you cannot "eval" a field that has been extracted with Rex. Eval creates a new field based on evaluating something. You are simply assigning to a field that has the same name as the extracted field.

Does the following work?

| eval newfield=fsprhr

What are you trying to do with Eval?

View solution in original post

Reply
Solved! Jump to solution
Solution

itinney
Path Finder
‎12-14-2012 04:12 PM

I'm not sure what you are trying to do here. What do you mean you cannot "eval" a field that has been extracted with Rex. Eval creates a new field based on evaluating something. You are simply assigning to a field that has the same name as the extracted field.

Does the following work?

| eval newfield=fsprhr

What are you trying to do with Eval?

Reply
Solved! Jump to solution

kingsizebk
Path Finder
‎02-22-2013 07:30 AM

I was trying to check whether or not the fsprhr field had a value of 1...

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎12-14-2012 08:14 AM

try to convert to numerical with |convert num(myfield)

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...