HI,
I have a search query as below
index= **** | stats avg(upstream_response_time), p95(upstream_response_time), p99(upstream_response_time) by service
It gives me results as below...
i wanted to roundoff the decimal values to 2 digits for all column values. I tried something like this but it didnt give me any results, Can you please help me how can i trim the results to 2 digits.
index= **** | eval upstream_response_times = round(upstream_response_time,2) | stats avg(upstream_response_times), p95(upstream_response_times), p99(upstream_response_times) by service
index= ****
| stats avg(upstream_response_time), p95(upstream_response_time), p99(upstream_response_time) by service
| foreach *upstream_response_time*
[| eval "<<FIELD>>"=round('<<FIELD>>',2)]
index= ****
| stats avg(upstream_response_time), p95(upstream_response_time), p99(upstream_response_time) by service
| foreach *upstream_response_time*
[| eval "<<FIELD>>"=round('<<FIELD>>',2)]
Tried the below ways, but the result is not trimmed to 2 digits
index= ****
| stats avg(upstream_response_time), p95(upstream_response_time), p99(upstream_response_time) by service
| foreach "upstream_response_time"
[| eval "upstream_response_time"=round('upstream_response_time',2)]
index= ****
| stats avg(upstream_response_time), p95(upstream_response_time), p99(upstream_response_time) by service
| foreach *upstream_response_time*
[| eval "upstream_response_time"=round('upstream_response_time',2)]
'<<FIELD>>' was not used here by @ITWhisperer as a string to replace by you. It should have been pasted as is. It's a placeholder to be replaced during the search by the field name matched by foreach.
See https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Foreach
You might consider using fieldformat instead of eval but that can lead to some hard to spot inconsistencies if you plan to further process the fields down the pipeline.
Even as is if i mention the field name also it is not rounding off the results.
Even that is not helping me to roundoff the column values.
I wanted to mention one more thing here, i.e, the values i am planning to search here are written to summary index from the original index.
Thanks,
SG
Try doing the foreach exactly as I suggested
This time you omitted the asterisks around the partial field name.
Please see https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Foreach for the description how foreach works.