Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If function returning integers?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This code snippet is being used to calculate a time into a normal time in the H.M format. The numbers are something like 1.93 which means 1 hour and 93 minutes. I'm trying to convert this into 2.33 so it is more easily read/understood.
| eval x1=substr(Total_Time_Refresh,1,1)
| eval x2=substr(Total_Time_Refresh,3)
| eval x4=(x2/100)
| eval x3 = if(x4>=(0.60),((x4/.6)+x1),(x4+x1))
Unfortunately anytime the substring x4 is greater than .60 it returns a whole number 2 or 3 only.
Anyone have any ideas as too why it is doing this?
| eval x1=substr(Total_Time_Refresh,1,1)
| eval x2=substr(Total_Time_Refresh,3)
| eval x3=(x2/100)
| eval x5=((x3/0.6)+x1)
| eval x6=(x3+x1)
| eval x4=if(x3>=.6,x5,x6)
Edit: I spread out the code to troubleshoot it and the error lies in '| eval x5=((x3/0.6)+x1)'
It seems to be rounding the number to a whole number if it is over '2'. I don't know the reason why though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solution:
| eval x5=exact((x3/0.6)+x1)
Adding the exact function to the equation forces it to not round the answer.
Edit:
| eval x1=substr(Total_Time_Refresh,1,1)
| eval x2=substr(Total_Time_Refresh,3)
| eval x3=(x2/100)
| eval x5=if(x3>.60,((x3-.60)+2),x3+1)
| eval Fixed_Refresh_Time = substr(x5,1,4)
This solution seems to be working but only will work on refreshes that are shorting than 3hrs which is over 99.9% of refreshes in my case and have alerts to go off if they are over 3hr.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solution:
| eval x5=exact((x3/0.6)+x1)
Adding the exact function to the equation forces it to not round the answer.
Edit:
| eval x1=substr(Total_Time_Refresh,1,1)
| eval x2=substr(Total_Time_Refresh,3)
| eval x3=(x2/100)
| eval x5=if(x3>.60,((x3-.60)+2),x3+1)
| eval Fixed_Refresh_Time = substr(x5,1,4)
This solution seems to be working but only will work on refreshes that are shorting than 3hrs which is over 99.9% of refreshes in my case and have alerts to go off if they are over 3hr.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Although this solves the integer issue the time is now off. Still searching for solution that returns the correct time.
.conf25 Global Broadcast: Don’t Miss a Moment
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
