Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

string to decimal and use where condition

lain179
Communicator
‎04-03-2013 05:25 PM

I have extracted a field that represents how long a process takes. The values looks like 1.0435, 2.242, 234.23435, etc. Using rex, the values are stored as string, so I use convert auto(timetaken). Though it seems to convert it to number, I couldn't get the where clause to work. I searched for where timetake>1, and I got much fewer results than I expected. Please help. Thanks.

Here is my search syntax.

sourcetype="Engine Logs" done save | rex field=_raw ".*in (?<TimeTaken>[0-9\.]+) seconds.*SERVER\.(?<Server>.*)\.Engine" | convert auto(TimeTaken) | stats values(TimeTaken) as TimeTaken by Server | search TimeTaken>1
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎04-03-2013 09:52 PM

It would help if you posted your actual search. Typically, when using rex to extract a field and the regex extract numbers, including decimals, Splunk will take care of typing. So you don't really have to call convert. In any case, where should work in filtering things out.

Try this:

index=_internal sourcetype="splunkd_access" HTTP | head 100 | rex "HTTP/(?<http_version>[^\"]+)" | where http_version>1

and you should only see events with that contain "HTTP/1.1" but no "HTTP/1.0"

Alternatively, you can use search instead of where. Ex. | search timetaken>1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lain179
Communicator
‎04-04-2013 09:32 AM

Oh never mind, I found what went wrong. When a server has multiple values - some less than 1 and some more than 1, that server doesn't return in the result for search TimeTaken>1. I have to do the stats by Sever, _time. And that worked.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎04-03-2013 09:52 PM

It would help if you posted your actual search. Typically, when using rex to extract a field and the regex extract numbers, including decimals, Splunk will take care of typing. So you don't really have to call convert. In any case, where should work in filtering things out.

Try this:

index=_internal sourcetype="splunkd_access" HTTP | head 100 | rex "HTTP/(?<http_version>[^\"]+)" | where http_version>1

and you should only see events with that contain "HTTP/1.1" but no "HTTP/1.0"

Alternatively, you can use search instead of where. Ex. | search timetaken>1

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...