Dashboards & Visualizations

round function not consistent

ramy19
Engager

hi all,

am running into an inconsistency with simple round function depending on the decimal placing, 
 here's wat am getting 

index=_internal type=usage
| eval totalGB = b/(1024*1024*1024)
| eval roundGB= round (totalGB,5)

one day value = 4.47213

when its

eval roundGB= round (totalGB,3)    -- i get 2.791 

| eval roundGB= round (totalGB,2) -- i get 0.32

for the same day.

any idea what is happening here?

Labels (1)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

If that is your search, then you are simply calculating the usage value in GB for each event you see - you are not calculating a total or doing any kind of aggregation on that data. When you say 'in the same day' you are not calculating a total for the day.

Are you really looking for something like this?

index=_internal type=usage
| bin _time span=1d
| stats sum(b) as b by _time
| eval totalGB = b/(1024*1024*1024)
| eval roundGB= round (totalGB,5)

which aggregates the total of the bytes value (b) and then calculates total in GB, by day? Or done in a different way using timechart

index=_internal type=usage
| timechart span=1d sum(b) as b 
| eval totalGB = b/(1024*1024*1024)
| eval roundGB= round (totalGB,5)

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

If that is your search, then you are simply calculating the usage value in GB for each event you see - you are not calculating a total or doing any kind of aggregation on that data. When you say 'in the same day' you are not calculating a total for the day.

Are you really looking for something like this?

index=_internal type=usage
| bin _time span=1d
| stats sum(b) as b by _time
| eval totalGB = b/(1024*1024*1024)
| eval roundGB= round (totalGB,5)

which aggregates the total of the bytes value (b) and then calculates total in GB, by day? Or done in a different way using timechart

index=_internal type=usage
| timechart span=1d sum(b) as b 
| eval totalGB = b/(1024*1024*1024)
| eval roundGB= round (totalGB,5)

ramy19
Engager

thx a lot @bowesmana 
yes actually that's what am after, i didn't mention part in my question (don't know y), but yea, that helps a lot.

my mistake is that i was rounding in gigs before the sum, and since the original values of b are in bytes so rounding the gig value with 2 decimal places was zero for almost all of the events.

lesson learned, no rounding before sum (especially with smaller values)

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@ramy19 Shouldn't be such big different for rounding 2,3 and 5. As you see they are consistent. It all depends on how your totalGB looks like that might be varying between rounding 2,3 and 5.

See how is your totalGB looks like as below,

venkatasri_0-1629347746321.png

---

Hope this reply helps!

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...