Splunk Search

Can the precision of numerical results be changed in the search?

CarbonCriterium
Path Finder

Let's say you have the following search:

... | stats sum(eval(sc_bytes/1073741824)) AS Gigabytes BY date

 

The resulting values in the Gigabytes column may have many characters after the decimal point.  In a results table or a dashboard one may format the values with commas or define precision in order to make the information easier to read at a glance.   

Is there a way to change how these values are displayed without changing the underlying information from the search?  

I know the following may be used to convert the values to a string, but is there a way to change the way these values are displayed without changing the number - perhaps you want to store it for later formulas?

... | stats sum(eval(sc_bytes/1073741824)) AS Gigabytes BY date 
| eval Gigabytes=printf("%.4f",Gigabytes)

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
... | stats sum(sc_bytes) AS Gigabytes BY date
| fieldformat Gigabytes=Gigabytes/1073741824

CarbonCriterium
Path Finder

Thank you for trying to respond, but this doesn't answer the question. 

The closest answer appears to be the tostring function, but it also changes the datatype.  

 

… |stats sum(eval(sc_bytes/1073741824)) AS Gigabytes BY date
| eval Gigabytes = tostring(Gigabytes, "commas")

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

fieldformat changes the way it is displayed without changing its value (which answers at least one of your questions). If you need to combine the division with a round or printf, you could do

| fieldformat Gigabytes=round(Gigabytes/1073741824,3)

or

| fieldformat Gigabytes=printf("%.4f",Gigabytes/1073741824)

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!