All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to round search result (Miliseconds)?

tobi2k
Explorer
‎07-13-2019 06:27 AM

Hi There,

with Google I already found numerous forum contributions to this topic - but unfortunately none worked.

I want to round a result (avg_ping in miliseconds) to whole numbers.

I tried that:

index="main" source="ping" | timechart latest(avg_ping) by dest | eval avg_ping = round(avg_ping,0)

But the result is unfortunately still not rounded: 21.535

Help is very welcome!

0 Karma
Reply

pgerke_cc
Explorer
‎07-14-2019 05:21 AM

Think that yould help you?

https://answers.splunk.com/answers/667635/how-to-round-a-millisecond-output.html

have to set "eval avg_ping=round(avg_ping,0)" to "eval avg_ping=round(avg_ping,2)"

0 Karma
Reply

vbumgarner
Contributor
‎07-13-2019 09:28 AM

Add as “as avg_ping” to your time chart command, or reference the results as 'latest(avg_ping)'

timechart latest(avg_ping) as avg_ping

or

'latest(avg_ping)' = round('latest(avg_ping)',0)
0 Karma
Reply

tobi2k
Explorer
‎07-13-2019 08:18 AM

Thank you for your answer.

The query

index="main" source="ping" | timechart latest(avg_ping) by dest

results in:

_time   server1.net server2.net server3.net
2019-07-12 17:00:00 33.948  65.14   19.13
2019-07-12 17:30:00 22.779  51.48   21.58
2019-07-12 18:00:00 20.194  69.65   17.91

Its not clear for me how to address the field name for rounding.

0 Karma
Reply

HiroshiSatoh
Champion
‎07-13-2019 05:29 PM

Please look at my answer.

0 Karma
Reply

HiroshiSatoh
Champion
‎07-13-2019 07:14 AM

avg_ping does not exist. Please check the field name in the result of avg_ping.

 index="main" source="ping" | timechart latest(avg_ping) by dest

It is easy if you do it first.

 index="main" source="ping" |eval avg_ping=round(avg_ping,0)
| timechart latest(avg_ping) by dest
0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...