Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

string to decimal and use where condition

lain179
Communicator
‎04-03-2013 05:25 PM

I have extracted a field that represents how long a process takes. The values looks like 1.0435, 2.242, 234.23435, etc. Using rex, the values are stored as string, so I use convert auto(timetaken). Though it seems to convert it to number, I couldn't get the where clause to work. I searched for where timetake>1, and I got much fewer results than I expected. Please help. Thanks.

Here is my search syntax.

sourcetype="Engine Logs" done save | rex field=_raw ".*in (?<TimeTaken>[0-9\.]+) seconds.*SERVER\.(?<Server>.*)\.Engine" | convert auto(TimeTaken) | stats values(TimeTaken) as TimeTaken by Server | search TimeTaken>1
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎04-03-2013 09:52 PM

It would help if you posted your actual search. Typically, when using rex to extract a field and the regex extract numbers, including decimals, Splunk will take care of typing. So you don't really have to call convert. In any case, where should work in filtering things out.

Try this:

index=_internal sourcetype="splunkd_access" HTTP | head 100 | rex "HTTP/(?<http_version>[^\"]+)" | where http_version>1

and you should only see events with that contain "HTTP/1.1" but no "HTTP/1.0"

Alternatively, you can use search instead of where. Ex. | search timetaken>1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lain179
Communicator
‎04-04-2013 09:32 AM

Oh never mind, I found what went wrong. When a server has multiple values - some less than 1 and some more than 1, that server doesn't return in the result for search TimeTaken>1. I have to do the stats by Sever, _time. And that worked.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎04-03-2013 09:52 PM

It would help if you posted your actual search. Typically, when using rex to extract a field and the regex extract numbers, including decimals, Splunk will take care of typing. So you don't really have to call convert. In any case, where should work in filtering things out.

Try this:

index=_internal sourcetype="splunkd_access" HTTP | head 100 | rex "HTTP/(?<http_version>[^\"]+)" | where http_version>1

and you should only see events with that contain "HTTP/1.1" but no "HTTP/1.0"

Alternatively, you can use search instead of where. Ex. | search timetaken>1

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...