Splunk Search

Can I use modulus in Splunk to extract the decimal portion (only) of a result?

nittalasub
Explorer

how to extract only decimal values in splunk ? ..example (7 divided by 2 ) = 3.5 , I need to get only 0.5 here ...will "%" work (or) is there any MOD funciton to accomplish this task ?

Tags (2)
0 Karma
1 Solution

DalJeanis
Legend

@niketnilay - Great demo, but modulo arithmetic does simplify the calculation down to ..

  ... | eval decimal=(7%2)/2

View solution in original post

0 Karma

DalJeanis
Legend

@niketnilay - Great demo, but modulo arithmetic does simplify the calculation down to ..

  ... | eval decimal=(7%2)/2
0 Karma

nittalasub
Explorer

@Daljeanis -- thank you so much ! 🙂 that helped me to extract decimals from floating point numbers.

special thanks to Nike !

0 Karma

niketn
Legend

@nittalasub, I have converted @DalJeanis' comment to answer. Please accept to mark this question as answered. Kindly also up vote other comments that helped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@DalJeanis, I need to take not just Splunk lessons from you but maths also 🙂

How about dividend < divisor? like (3/7)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
Legend
3%7 is 3, so (3%7)/7 = 3/7

The formula only fails (potentially)for negative numbers.

Depending on implementation -3%7 can be considered to be either -3 or +4. Those two numbers are identities in mod 7 ring theory and whatever the other relevant branches of discrete math are.... but not when you are calculating real world stuff.

So, for safety, if I couldn't run a quick test, I'd end up coding that as...

   decimal=round(if(X<0, -(-X%Y)/Y,(X%Y)/Y),somenumber)

niketn
Legend

Following is the run anywhere search. While modular division is possible, you are actually looking just to extract decimal places.

| makeresults
| eval dividend=7
| eval divisor=2
| eval value=dividend/divisor
| eval remainder=dividend%divisor
| eval quotient=replace(value,"(\d+).(\d+)","\1")
| eval decimal=replace(value,"(\d+)(\.\d+)","0\2")
| table dividend divisor value remainder quotient decimal

Following are the results:

dividend    divisor value   remainder   quotient    decimal
7          2          3.5     1         3          0.5
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway
SplunkTrust
SplunkTrust

Splunk does support the modulus (%) operator.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jkat54
SplunkTrust
SplunkTrust

So it would look like this?

 ... | eval remainder=7%2

Correct? I've never done it before.

0 Karma

DalJeanis
Legend

@jkat54 - correct, but one more step to get the requested answer...

  ... | eval decimal=(7%2)/2
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...