Splunk Search

Can I use modulus in Splunk to extract the decimal portion (only) of a result?

nittalasub
Explorer

how to extract only decimal values in splunk ? ..example (7 divided by 2 ) = 3.5 , I need to get only 0.5 here ...will "%" work (or) is there any MOD funciton to accomplish this task ?

Tags (2)
0 Karma
1 Solution

DalJeanis
Legend

@niketnilay - Great demo, but modulo arithmetic does simplify the calculation down to ..

  ... | eval decimal=(7%2)/2

View solution in original post

0 Karma

DalJeanis
Legend

@niketnilay - Great demo, but modulo arithmetic does simplify the calculation down to ..

  ... | eval decimal=(7%2)/2
0 Karma

nittalasub
Explorer

@Daljeanis -- thank you so much ! 🙂 that helped me to extract decimals from floating point numbers.

special thanks to Nike !

0 Karma

niketn
Legend

@nittalasub, I have converted @DalJeanis' comment to answer. Please accept to mark this question as answered. Kindly also up vote other comments that helped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@DalJeanis, I need to take not just Splunk lessons from you but maths also 🙂

How about dividend < divisor? like (3/7)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
Legend
3%7 is 3, so (3%7)/7 = 3/7

The formula only fails (potentially)for negative numbers.

Depending on implementation -3%7 can be considered to be either -3 or +4. Those two numbers are identities in mod 7 ring theory and whatever the other relevant branches of discrete math are.... but not when you are calculating real world stuff.

So, for safety, if I couldn't run a quick test, I'd end up coding that as...

   decimal=round(if(X<0, -(-X%Y)/Y,(X%Y)/Y),somenumber)

niketn
Legend

Following is the run anywhere search. While modular division is possible, you are actually looking just to extract decimal places.

| makeresults
| eval dividend=7
| eval divisor=2
| eval value=dividend/divisor
| eval remainder=dividend%divisor
| eval quotient=replace(value,"(\d+).(\d+)","\1")
| eval decimal=replace(value,"(\d+)(\.\d+)","0\2")
| table dividend divisor value remainder quotient decimal

Following are the results:

dividend    divisor value   remainder   quotient    decimal
7          2          3.5     1         3          0.5
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway
SplunkTrust
SplunkTrust

Splunk does support the modulus (%) operator.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jkat54
SplunkTrust
SplunkTrust

So it would look like this?

 ... | eval remainder=7%2

Correct? I've never done it before.

0 Karma

DalJeanis
Legend

@jkat54 - correct, but one more step to get the requested answer...

  ... | eval decimal=(7%2)/2
0 Karma
Get Updates on the Splunk Community!

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk &#43; Cisco joined the global celebration of CX Day - celebrating our ...

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...