Solved: How to use round function in appendpipe?

JarrettM · ‎03-13-2019

This search works well and gives me the results I want as shown below:

index="index1" sourcetype="source_type1" responsestatus=200 OR responsestatus=503 
| eval User=lower(User)
| stats 
    count(eval(responsestatus="200")) as success_count
    count(eval(responsestatus="503")) as failure_count 
    by User 
| appendpipe 
    [ stats avg(success_count) as avg-success_count 
    | eval User="Average Successes"] 
| appendpipe 
    [ stats avg(failure_count) as avg-failure_count 
    | eval User="Average Failures"]
| sort 0 +User

Sample results:

**User                success_count         failure_count               avg-failure_count   avg-success_count**
Average Failures                                                                        0.092400317 
Average Successes                                                                                                      135.6589156
user1                         106                          0        
user2                          88                          0        
etc.

How do I round the values for avg-failure_count and avg-success_count? When I tried the following I got no result for avg-

success_count  and avg-failure_count.
| appendpipe 
    [ stats avg(success_count) as avg-success_count 
    | eval User="Average Successes"
     |eval avg-success_count=round(avg-success_count,2)] 
| appendpipe 
    [ stats avg(failure_count) as avg-failure_count 
    | eval User="Average Failures"
     |eval avg-failure_count=round(avg-failure_count,2)]

Thanks!

somesoni2 · ‎03-13-2019

Your field names contains special characters (hyphen) so they've to be double quoted in eval field assignment area(left side of 😃 and single quoted on expressions area, like this

index="index1" sourcetype="source_type1" responsestatus=200 OR responsestatus=503 
| eval User=lower(User)
| stats 
count(eval(responsestatus="200")) as success_count
count(eval(responsestatus="503")) as failure_count 
by User 
| appendpipe 
[ stats avg(success_count) as avg-success_count 
| eval User="Average Successes" | eval "avg-success_count"=round('avg-success_count',2)] 
| appendpipe 
[ stats avg(failure_count) as avg-failure_count 
| eval User="Average Failures" | eval "avg-failure_count"=round('avg-failure_count',2)]
| sort 0 +User

View solution in original post

somesoni2 · ‎03-13-2019

Your field names contains special characters (hyphen) so they've to be double quoted in eval field assignment area(left side of 😃 and single quoted on expressions area, like this

index="index1" sourcetype="source_type1" responsestatus=200 OR responsestatus=503 
| eval User=lower(User)
| stats 
count(eval(responsestatus="200")) as success_count
count(eval(responsestatus="503")) as failure_count 
by User 
| appendpipe 
[ stats avg(success_count) as avg-success_count 
| eval User="Average Successes" | eval "avg-success_count"=round('avg-success_count',2)] 
| appendpipe 
[ stats avg(failure_count) as avg-failure_count 
| eval User="Average Failures" | eval "avg-failure_count"=round('avg-failure_count',2)]
| sort 0 +User

JarrettM · ‎03-14-2019

Thank you!! I had no idea about the - vs _ issue or the need for ' ' vs " " quotes. I'll avoid those pesky hyphens from now on!

Perfect answer!

How to use round function in appendpipe?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?