Splunk Search

Eval rounding error too big

gljiva
Path Finder

Hi, I'm getting a big rounding error when evaluating floating expressions.
Here is the search that is evaluating the following table:

| stats sum(AmountActualCcy) as TransactionSum by RetailerId  | eval FINAL = (0.1 * TransactionSum)

    RetailerId  TransactionSum  FINAL
1   33215   3091170.69  300000
2   519973  3269504.11  300000
3   54655   2952796.05  300000
4   59518   2965221.65  300000
5   67889   2840332.81  300000
6   68117   3113385.64  300000
7   81275   3099565.43  300000
8   849454  3140473.26  300000
9   921976  3076440.38  300000

Is there maybe some function to force float evaluation of expression?

Tags (2)
0 Karma
1 Solution

gljiva
Path Finder

Ok, found exact() function that solves my problem.

This function evaluates an expression X using double precision floating point arithmetic.

solution looks like this:

eval FINAL = exact(0.1 * TransactionSum)

Another question if I try to evaluate two fields like following I get no results, like there was no evaluation, both fields are recognized by splunk as numerical and are present in all events:

 ... | lookup RetailerNames.csv RetailerId as RetailerId OUTPUT Fee, FirmName | search FirmName="Apple" | stats sum(AmountActualCcy) as TransactionSum by RetailerId, FirmName | eval FINAL = exact( TransactionSum * Fee)

Any ideas why this wouldn't work?

View solution in original post

0 Karma

gljiva
Path Finder

Ok, found exact() function that solves my problem.

This function evaluates an expression X using double precision floating point arithmetic.

solution looks like this:

eval FINAL = exact(0.1 * TransactionSum)

Another question if I try to evaluate two fields like following I get no results, like there was no evaluation, both fields are recognized by splunk as numerical and are present in all events:

 ... | lookup RetailerNames.csv RetailerId as RetailerId OUTPUT Fee, FirmName | search FirmName="Apple" | stats sum(AmountActualCcy) as TransactionSum by RetailerId, FirmName | eval FINAL = exact( TransactionSum * Fee)

Any ideas why this wouldn't work?

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...