Splunk Search

How to Round in a stats command?

ebs
Communicator

Hi,

I'm trying to round the average of my response_time but still getting undesirable results (all the decimal places). Can someone advise what the correct format is?

stats avg(eval(round((response_time),2))) as avg_response_time

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Do your round after the stats

| stats avg(response_time) as avg_response_time
| eval avg_response_time=round(avg_response_time,2)

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Do your round after the stats

| stats avg(response_time) as avg_response_time
| eval avg_response_time=round(avg_response_time,2)

 

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ebs 

Try this.

| stats avg(eval(round(response_time,2))) as avg_response_time
0 Karma

ebs
Communicator

I get this error:

Error in 'eval' command: The expression is malformed.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ebs 

 

I tried this. 

index=_internal 
| eval response_time=date_hour + 0.30303
| stats avg(eval(round(response_time,2))) as avg_response_time

 

Can you please share your search ? 

0 Karma

mal11
New Member

Here is an example of what i mean and reason i decided to revisit this topic

| stats avg(eval(round(TX,1))) as avg1 avg(TX) as avg2

output

mal11_0-1649421854605.png

 

0 Karma

mal11
New Member

The issue with doing it this way is you're rounding before you average it. This works if you already have values that need to be rounded and then you average that. I used values(eval(round to  round and aggregate into mv for unique values and it works well. I have not been able to find a way with stat, operation and round because it seems like eval needs to go after stats operation which defeats the purpose of a the average.

 

I could be missing something so if anyone found a way please post as that would save me an extra line almost every time i write a dashboard.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Not sure what the issue is here.

stats avg will compute the average of the values found in each event and give you an unrounded result. 

stats avg(eval(round(val, 0))) will round the value before giving it to the avg() aggregation. so if you have three events with values 3.3, 3.4 and 4.4, then it will take the average of 3+3+4 (10), which will give you 3.33333333 - again, an unrounded result. 

| makeresults 
| eval value = split("3.3,3.4,4.4", ",")
| mvexpand value
| eventstats avg(eval(round(value, 0))) as avg
| stats avg(value) as v values(avg) as avg
| eval r_v=round(v), r_avg=round(avg)

If you want to get a rounded value from your average, the round after the stats, as in the accepted solution, i.e. 

Can you clarify what you mean by defeating the purpose


@mal11 wrote:

eval needs to go after stats operation which defeats the purpose of a the average.

 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...