- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- cannot eval a field obtained from rex and i am pre...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot seem to "eval" a field obtained from a "rex" and i am pretty sure the field is only digits... this is similiar to http://splunk-base.splunk.com/answers/45605/cannot-eval-a-field-obtained-from-rex, which i already reviewed
here is the search: "Latency:" | rex "Latency:\s*(?P<fsprhr>\d+)" | eval fsprhr=1
here is an example of the data returned by the search, regardless of whether the search is "Latency:" or "Latency:" | rex "Latency:\s*(?P<fsprhr>\d+)" or "Latency:" | rex "Latency:\s*(?P<fsprhr>\d+)" | eval fsprhr=1:
<?xml version='1.0' encoding='utf-8'?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><log-entry serial='201360' domain='SANDBOX'><date>20121214</date><time utc='1355497924621'>151204</time><date-time>2012-12-14T10:12:04</date-time><type>latency</type><class>xmlfirewall</class><object>xmiStats</object><level num='6'>info</level><transaction-type></transaction-type><transaction>9607650</transaction><client>10.70.50.223</client><code>0x80e00073</code><file></file><message>Latency: 0 0 0 0 519 493 1 519 0 0 0 519 0 0 0 0 [http://emsadp07mgt:2066/xmiStats]</message></log-entry></SOAP-ENV:Body></SOAP-ENV:Envelope>
the data above is in XML format and is not displaying properly and i do not enough karma to upload a screenshot...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you are trying to do here. What do you mean you cannot "eval" a field that has been extracted with Rex. Eval creates a new field based on evaluating something. You are simply assigning to a field that has the same name as the extracted field.
Does the following work?
| eval newfield=fsprhr
What are you trying to do with Eval?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you are trying to do here. What do you mean you cannot "eval" a field that has been extracted with Rex. Eval creates a new field based on evaluating something. You are simply assigning to a field that has the same name as the extracted field.
Does the following work?
| eval newfield=fsprhr
What are you trying to do with Eval?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was trying to check whether or not the fsprhr field had a value of 1...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try to convert to numerical with |convert num(myfield)
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
