Splunk Search

How to remove decimal places without rounding

g038123
Explorer

Hello,
I have the following field values returned from a base search

Field Name
14.2
19.95
InvalidCompositeMsmtA
0
5.6
CompositeIndexInitializing

I need to remove the decimal places without rounding, so the results show as below, which would match what our application displays.

Field Name
14
19
InvalidCompositeMsmtA
0
5
CompositeIndexInitializing

Thank you in advance for any assistance you can provide.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search | eval "Field Name"=if(match('Field Name',"^[\d\.]*$"),floor('Field Name'),'Field Name')

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

your current search | eval "Field Name"=if(match('Field Name',"^[\d\.]*$"),floor('Field Name'),'Field Name')
0 Karma

g038123
Explorer

Perfect, Thank you!!

0 Karma

vikashperiwal
Path Finder

i tried doing this way, i want t remove decimal places without rounding. but this did nt work

index=xyx host=* source=abc
| eval new_time = uptime/86400 | timechart span=1day avg(new_time) as Days by host| eval Days=if(match('Days',"^[\d.]*$"),floor('Days'),'Days')

0 Karma

sloshburch
Splunk Employee
Splunk Employee

@vikashperiwal - time is a bit "fun" to play with and I suggest making a whole new post for that question (and then share the link here so we can help you) so we can dive deep with you.

There could be a number of options or approaches depending on your situation. For example, your question could be solved with a tweak to the sourcetype (to modify the time) that could solve your challenge with the `date*` fields.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The output format you've put may be little confusing. What are the names of the fields that contains those decimal values? Are the names of those columns fixed/static? There is a function called floor which can just bring it down to next lower integer number (no rounding, floor(19.99) will be 19 ).

0 Karma

outcoldman
Communicator

You are looking on something like

... | eval InvalidCompositeMsmtA=floor(InvalidCompositeMsmtA)

You can find the documentation about floor http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/MathematicalFunctions#floor.28X.29

sloshburch
Splunk Employee
Splunk Employee

Floor, ceiling, round, or if needed, you could string parse it to chop off everything from decimal after. As @somesoni2 highlight, the formatting of the original post is funky so it's a bit hard to understand if these answers are helping.

0 Karma

g038123
Explorer

Hey, sorry for the confusion, to clarify I have a field named "Index"(Named "Field Name" in original post)
The values of the Index field can be numeric or string as below
14.2
19.95
InvalidCompositeMsmtA
0
5.6
CompositeIndexInitializing

I don't really care about the strings, they're temporary and will update to a numeric value after enough readings have posted. For the purposes of my report, they will generally be ignored.

I do care about the numeric values and would like them to display identical to what is displayed on our application. Floor worked perfectly as I do not want the values rounded, thank you for that!

Given the same data values, if I did need to only update the numeric values and leave the strings untouched, how would I do that? Just curious for future reference and if by chance the requester of the data asks for it. 😉

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Check the functions for the eval command and you will discover that you can play with Informational Functions and the Comparison and Conditional functions to test if a value is a string (hint: isstr ) or is a number (hint: isnum ) and then perform the floor only on the numbers.

If you need more help, come back here, but I figured you wanted to learn more about the options available than just this specific answer (teach you to fish).

0 Karma

g038123
Explorer

Perfect! Thank you Burch
And yes, I'd rather fish 😉

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...