Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Math precision

joebensimo
Path Finder
‎09-18-2013 11:10 PM

I am seeing what appears to be inconsistencies in how Splunk does math in eval statements. Most of the time, it appears to be doing floating point math, but I've encountered a number of cases where it is doing something else.

For example:

Given fields p=8.250 and m=0.2, multiplying the values

| eval i = p*m

gives me a resulting value of 2.0 instead of the expected 1.65.

However, if I add the exact function

| eval i = exact(p*m)

Splunk gives me the expected value of 1.65.

In other cases, Splunk appears to be doing floating point multiplication and division without me explicitly using the exact() function.

While rounding up 1.65 to 2.0 isn't a big difference, this creates a huge error when integer math results of many events are summed.

The documentation says:

exact(X) This function evaluates an
expression X using double precision
floating point arithmetic.

So, my questions:

How does Splunk do math when the exact() function is not used? Why do I sometimes get integer results instead of accurate floating point results and other times get floating point result values?

Is the lack of precision documented anywhere other than the one-line description of the exact() function? If it is, I've not yet been able to find it. It seems to me that it is a huge deal to not do floating point math on real numbers without making it abundantly clear that the results are not exact.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2013 11:45 PM

When you run eval, the final result is rounded to a precision appropriate to the precision of the input results. The precision of the final result can be no greater than the precision of the least-precise input. Note that you will get results expressed differently if you do 8.250 * 0.2 vs 8.250 * 0.20 vs 8.250 * 0.200. This can be problem if by 0.2, you actually mean 0.2 to an arbitrary number of digits of precision. If that is what you mean, then you can express that by using exact(0.2) instead of 0.2.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2013 11:45 PM

When you run eval, the final result is rounded to a precision appropriate to the precision of the input results. The precision of the final result can be no greater than the precision of the least-precise input. Note that you will get results expressed differently if you do 8.250 * 0.2 vs 8.250 * 0.20 vs 8.250 * 0.200. This can be problem if by 0.2, you actually mean 0.2 to an arbitrary number of digits of precision. If that is what you mean, then you can express that by using exact(0.2) instead of 0.2.

Reply
Solved! Jump to solution

joebensimo
Path Finder
‎09-18-2013 11:59 PM

This seems to explain what I am seeing with multiplication. I just did some additional tests with a variety of precisions. It appears Splunk is using digits of precision and not digits after the decimal point. It doesn't matter where the decimal point is located.

However, for division, I seem to get more digits of precision than any of the input values -- which is probably what I want it to do.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...