All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to round search result (Miliseconds)?

tobi2k
Explorer
‎07-13-2019 06:27 AM

Hi There,

with Google I already found numerous forum contributions to this topic - but unfortunately none worked.

I want to round a result (avg_ping in miliseconds) to whole numbers.

I tried that:

index="main" source="ping" | timechart latest(avg_ping) by dest | eval avg_ping = round(avg_ping,0)

But the result is unfortunately still not rounded: 21.535

Help is very welcome!

0 Karma
Reply

pgerke_cc
Explorer
‎07-14-2019 05:21 AM

Think that yould help you?

https://answers.splunk.com/answers/667635/how-to-round-a-millisecond-output.html

have to set "eval avg_ping=round(avg_ping,0)" to "eval avg_ping=round(avg_ping,2)"

0 Karma
Reply

vbumgarner
Contributor
‎07-13-2019 09:28 AM

Add as “as avg_ping” to your time chart command, or reference the results as 'latest(avg_ping)'

timechart latest(avg_ping) as avg_ping

or

'latest(avg_ping)' = round('latest(avg_ping)',0)
0 Karma
Reply

tobi2k
Explorer
‎07-13-2019 08:18 AM

Thank you for your answer.

The query

index="main" source="ping" | timechart latest(avg_ping) by dest

results in:

_time   server1.net server2.net server3.net
2019-07-12 17:00:00 33.948  65.14   19.13
2019-07-12 17:30:00 22.779  51.48   21.58
2019-07-12 18:00:00 20.194  69.65   17.91

Its not clear for me how to address the field name for rounding.

0 Karma
Reply

HiroshiSatoh
Champion
‎07-13-2019 05:29 PM

Please look at my answer.

0 Karma
Reply

HiroshiSatoh
Champion
‎07-13-2019 07:14 AM

avg_ping does not exist. Please check the field name in the result of avg_ping.

 index="main" source="ping" | timechart latest(avg_ping) by dest

It is easy if you do it first.

 index="main" source="ping" |eval avg_ping=round(avg_ping,0)
| timechart latest(avg_ping) by dest
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...