Splunk Search

How to display summed results that are less than 1 in a table?

tapptress
Explorer

I have values in a field that, when summed, are values less than 1 (ie, .79 .03). I need these values to display in my table, but they currently do not. I assume it is because they are a value less than 1. They display when they aren't summed, so is there a way to format a summed value so it will display these smaller values?

0 Karma
1 Solution

somesoni2
Revered Legend

Seems like the value .03 is not recognized as proper decimal number. Give this a try

| eval Duration=if(substr(Duration,1,1)=".","0".Duration,Duration) | stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor | convert num(Duration) |stats sum(Duration) as Duration by Sensor

View solution in original post

0 Karma

somesoni2
Revered Legend

Seems like the value .03 is not recognized as proper decimal number. Give this a try

| eval Duration=if(substr(Duration,1,1)=".","0".Duration,Duration) | stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor | convert num(Duration) |stats sum(Duration) as Duration by Sensor
0 Karma

tapptress
Explorer

Thanks. This appears to have worked. Really appreciate it!

0 Karma

twinspop
Influencer

Splunk does not round or truncate numbers by default in any situations I'm aware of. Can you provide sample logs, searches and results?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Using round or exact in your eval may help. Show us your query for a better answer.

---
If this reply helps you, Karma would be appreciated.

tapptress
Explorer

I'm basically just summing duration times for a particular device outage

|stats sum(Duration) as Duration by Sensor -- my search returns 3 values to sum [.03, 4.75, and 7.24] -- the result is 11.99, it seems to be ignoring the .03 value

0 Karma

somesoni2
Revered Legend

Can you run this and share results (for the Sensor you're seeing issue)

your base search | table Sensor Duration | appendpipe [|stats sum(Duration) as Duration by Sensor]
0 Karma

tapptress
Explorer

I have all of that
base search, I did stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor |appendpipe [|stats sum(Duration) as Duration by Sensor]

I get everything I want with the exception of any duration that is less than 1 is ignored. How do I get the sum functions to add the 0.something values?

0 Karma

somesoni2
Revered Legend

I'm guessing the number format could be the issue here. Could you try this

stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor | convert num(Duration) |appendpipe [|stats sum(Duration) as Duration by Sensor]
0 Karma

tapptress
Explorer

Same result. 11.99 when it should be 12.02

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...