Splunk Search

Can I use modulus in Splunk to extract the decimal portion (only) of a result?

Explorer

how to extract only decimal values in splunk ? ..example (7 divided by 2 ) = 3.5 , I need to get only 0.5 here ...will "%" work (or) is there any MOD funciton to accomplish this task ?

Tags (2)
1 Solution
Legend

@niketnilay - Great demo, but modulo arithmetic does simplify the calculation down to ..

... | eval decimal=(7%2)/2
Legend

@niketnilay - Great demo, but modulo arithmetic does simplify the calculation down to ..

... | eval decimal=(7%2)/2
Explorer

@Daljeanis -- thank you so much ! 🙂 that helped me to extract decimals from floating point numbers.

special thanks to Nike !

Legend

@nittalasub, I have converted @DalJeanis' comment to answer. Please accept to mark this question as answered. Kindly also up vote other comments that helped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Legend

@DalJeanis, I need to take not just Splunk lessons from you but maths also 🙂

How about dividend < divisor? like (3/7)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Legend
3%7 is 3, so (3%7)/7 = 3/7

The formula only fails (potentially)for negative numbers.

Depending on implementation -3%7 can be considered to be either -3 or +4. Those two numbers are identities in mod 7 ring theory and whatever the other relevant branches of discrete math are.... but not when you are calculating real world stuff.

So, for safety, if I couldn't run a quick test, I'd end up coding that as...

decimal=round(if(X<0, -(-X%Y)/Y,(X%Y)/Y),somenumber)
Legend

Following is the run anywhere search. While modular division is possible, you are actually looking just to extract decimal places.

| makeresults
| eval dividend=7
| eval divisor=2
| eval value=dividend/divisor
| eval remainder=dividend%divisor
| eval quotient=replace(value,"(\d+).(\d+)","\1")
| eval decimal=replace(value,"(\d+)(\.\d+)","0\2")
| table dividend divisor value remainder quotient decimal

Following are the results:

dividend    divisor value   remainder   quotient    decimal
7          2          3.5     1         3          0.5
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
SplunkTrust

Splunk does support the modulus (%) operator.

---
If this reply helps you, Karma would be appreciated.
SplunkTrust

So it would look like this?

... | eval remainder=7%2

Correct? I've never done it before.

Legend

@jkat54 - correct, but one more step to get the requested answer...

... | eval decimal=(7%2)/2
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a \$20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...