Splunk Search

How can I round to the nearest half with the eval command?

Communicator

Hello,

I have some values that are in the format of : 0, 0.5, 1, 1.5, 2, 2.5, 3, 3.5, 4, 4.5, 5

I am trying to find that average and only want whole and half numbers so nothing like 1.7 only avg's like 1, 2.5, 4, 3.5 etc.

I thought maybe if I multiplied by 2 and then divided that by the count and then again in half that would work but its not quite right.

|eval tmpscore=(score * 2)
|eval "Maturity Level"=round(((tmpscore/count)/2),1)

"score" being the sum of all the values of a field
Any ideas how I could get this type of rounding to work?

Thanks as always

0 Karma
1 Solution

Splunk Employee
Splunk Employee

How about this as a starting point?

| makeresults 
| eval calculated_average_score = 1.74 
| eval tmp_score = calculated_average_score*2 
| eval round_tmp_score = round(tmp_score) 
| eval final_round_calculated_average_score = round_tmp_score / 2

View solution in original post

Splunk Employee
Splunk Employee

How about this as a starting point?

| makeresults 
| eval calculated_average_score = 1.74 
| eval tmp_score = calculated_average_score*2 
| eval round_tmp_score = round(tmp_score) 
| eval final_round_calculated_average_score = round_tmp_score / 2

View solution in original post

Communicator

I tried this but I still get the same results

|eval tmpscore=(score * 2)
|eval tmpscore=round(tmpscore)
|eval "Maturity Level"=((tmpscore/count)/2)

I still get values like:

1.3333333333333333  
2   
2.1666666666666665
1.5
1.625
3
1.75
1.8
0 Karma

Splunk Employee
Splunk Employee

Another fuller example this time using the same field names (without count)

| makeresults count=10 
| eval value = (random()%100)/5
| stats avg(value) as score
| eval tmpscore=(score * 2)
| eval tmpscore=round(tmpscore)
| eval "Maturity Level"= tmpscore/2
0 Karma

Communicator

yep, edited again and got the results I was looking for, thanks again!

0 Karma

Splunk Employee
Splunk Employee

No worries, thanks for accepting the answer

0 Karma

Splunk Employee
Splunk Employee

Does the SPL this answer provide work? It looks like you've tried to combine it into a single line and not done a like for like conversion. The SPL provided in this answer assumes you are converting an already calculated average (so you don't need count).

0 Karma

Splunk Employee
Splunk Employee

A fuller example with average calculation.

| makeresults count=10 
| eval value = (random()%100)/5
| stats avg(value) as calculated_average_score
| eval tmp_score = calculated_average_score*2 
| eval round_tmp_score = round(tmp_score) 
| eval final_round_calculated_average_score = round_tmp_score / 2
0 Karma