Solved: How to round up a field value which contains the d...

pavanae · ‎11-08-2016

I have a search which displays the average_time_spent in the format "hh:mm:ss"

my search | eval field_in_hhmmss=tostring(avgDurationPerpid, "duration") | table id field_in_hhmmss

which displays as below

id field_in_hhmmss

23 01:58:36.344000

Now how can i round up the seconds part in an understandable way like instead of 01:58:36.344000 it should display as 01:58:37?

gokadroid · ‎11-08-2016

It depends on what function do you want to use to round of : floor, ceil etc. and then rounding off before you convert via tostring. Something like this:

my search 
|eval field_in_hhmmss=tostring(ceil(avgDurationPerpid), "duration") 
| table id field_in_hhmmss

OR

my search 
|eval field_in_hhmmss=tostring(floor(avgDurationPerpid), "duration") 
| table id field_in_hhmmss

View solution in original post

gokadroid · ‎11-08-2016

It depends on what function do you want to use to round of : floor, ceil etc. and then rounding off before you convert via tostring. Something like this:

my search 
|eval field_in_hhmmss=tostring(ceil(avgDurationPerpid), "duration") 
| table id field_in_hhmmss

OR

my search 
|eval field_in_hhmmss=tostring(floor(avgDurationPerpid), "duration") 
| table id field_in_hhmmss

pavanae · ‎11-08-2016

I would think using ceil would be the best in my case. So how can I make the users to display in descending order based on the fields_in_hhmmss

How to round up a field value which contains the digits?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to round up a field value which contains the digits?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR