Numerify

The Numerify function in Observo AI extracts numerical values from string fields and converts them into numeric fields. This is particularly useful for transforming unstructured or semi-structured data into a format suitable for quantitative analysis.

Purpose

The Numerify function scans string fields for numerical patterns such as integers, decimals, or percentages and extracts them into new numeric fields. This enables you to perform mathematical operations, aggregations, or comparisons on the extracted values.

Usage

Select Numerify transform. Add Name (required) and Description (optional).

General Configuration:

  • Bypass Transform: Defaults to disabled. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.

  • Add Filter Conditions: Defaults to disabled. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.

Numerify: Enabled: Defaults to enabled, meaning it does evaluate all events. Toggle Enabled off to prevent event processing to feed data to the downstream Transforms.

Numerify Rules: Click Add button to add new field as a key (name of the field), with the following inputs:

  • Field Name: The name of the field whose value is to be converted to a number. The value will be automatically converted to the appropriate numeric type, such as float or integer.

Examples

Examples require that Enabled is toggled on.

Extracting a Number from a String

Scenario: Extract the numerical value from the string log.error_count: “123”.

Numerify Rule

Field Name

log.error_count

Results: The value for the log.error_count field is converted to the numeric value 123.

Extract Multiple Names

Scenarios: Extract multiple numerical values from string field values.

Fields Name

palo_alto.bytes

palo_alto.bytes_in

palo_alto.bytes_out

palo_alto.duration

palo_alto.packets

palo_alto.packets_in

palo_alto.packets_out

palo_alto.repeat_count

Palo Alto Traffic Log Entry (Text Fields)
Palo Alto Traffic Log Entry (Numeric Fields)
{
"appname":"pan",
"facility":"lpr",
"hostname":"cgen",
"palo_alto":{
"action":"allow",
"action_flags":"0x0",
"action_source":"from-policy",
"app":"incomplete",
"bytes":"9259",
"bytes_in":"0",
"bytes_out":"9259",

 "duration":"54",
"dvc_name":"PA-VM",

 "log_type":"TRAFFIC",
"packets":"42",
"packets_in":"0",
"packets_out":"4",
"receive_time":"2025/02/20 16:41:53",
"repeat_count":"0",
"rule":"observo-ai",

"version":"0",
"vsys":"vsys1",
"vsys_name":""
},
"severity":"alert",
"source_ip":"192.168.3.48",
"timestamp":"2025-02-20T16:41:53.851Z"
}
{
"appname":"pan",
"facility":"lpr",
"hostname":"cgen",
"palo_alto":{
"action":"allow",
"action_flags":"0x0",
"action_source":"from-policy",
"app":"incomplete",
"bytes":9259,
"bytes_in":0,
"bytes_out":9259,

 "duration":54,
"dvc_name":"PA-VM",

 "log_type":"TRAFFIC",
"packets":42,
"packets_in":0,
"packets_out":4,
"receive_time":"2025/02/20 16:41:53",
"repeat_count":0,
"rule":"observo-ai",

"version":"0",
"vsys":"vsys1",
"vsys_name":""
},
"severity":"alert",
"source_ip":"192.168.3.48",
"timestamp":"2025-02-20T16:41:53.851Z"
}

Use Cases

  • Log Parsing: Extract numerical values from log messages such as error codes, response times.

  • Metric Extraction: Convert string-based metrics such as "75%" or "1024KB" into numeric fields for analysis.

  • Data Normalization: Standardize mixed-format data into numeric values for aggregation or visualization.

Best Practices

  1. Pattern Matching: Ensure the input strings contain recognizable numerical patterns such as integers or decimals.

  2. Chaining Functions: Combine Numerify with other functions like Filter Event or Reduce for advanced data processing.

Related Functions

  • Reduce: Reduce events by applying aggregation functions.

  • Aggregate Metrics: Aggregate multiple metrics into a single metric based on a set of conditions.

PreviousLookupNextReduce

Last updated

Was this helpful?