Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Math precision

joebensimo
Path Finder
‎09-18-2013 11:10 PM

I am seeing what appears to be inconsistencies in how Splunk does math in eval statements. Most of the time, it appears to be doing floating point math, but I've encountered a number of cases where it is doing something else.

For example:

Given fields p=8.250 and m=0.2, multiplying the values

| eval i = p*m

gives me a resulting value of 2.0 instead of the expected 1.65.

However, if I add the exact function

| eval i = exact(p*m)

Splunk gives me the expected value of 1.65.

In other cases, Splunk appears to be doing floating point multiplication and division without me explicitly using the exact() function.

While rounding up 1.65 to 2.0 isn't a big difference, this creates a huge error when integer math results of many events are summed.

The documentation says:

exact(X) This function evaluates an
expression X using double precision
floating point arithmetic.

So, my questions:

How does Splunk do math when the exact() function is not used? Why do I sometimes get integer results instead of accurate floating point results and other times get floating point result values?

Is the lack of precision documented anywhere other than the one-line description of the exact() function? If it is, I've not yet been able to find it. It seems to me that it is a huge deal to not do floating point math on real numbers without making it abundantly clear that the results are not exact.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2013 11:45 PM

When you run eval, the final result is rounded to a precision appropriate to the precision of the input results. The precision of the final result can be no greater than the precision of the least-precise input. Note that you will get results expressed differently if you do 8.250 * 0.2 vs 8.250 * 0.20 vs 8.250 * 0.200. This can be problem if by 0.2, you actually mean 0.2 to an arbitrary number of digits of precision. If that is what you mean, then you can express that by using exact(0.2) instead of 0.2.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2013 11:45 PM

When you run eval, the final result is rounded to a precision appropriate to the precision of the input results. The precision of the final result can be no greater than the precision of the least-precise input. Note that you will get results expressed differently if you do 8.250 * 0.2 vs 8.250 * 0.20 vs 8.250 * 0.200. This can be problem if by 0.2, you actually mean 0.2 to an arbitrary number of digits of precision. If that is what you mean, then you can express that by using exact(0.2) instead of 0.2.

Reply
Solved! Jump to solution

joebensimo
Path Finder
‎09-18-2013 11:59 PM

This seems to explain what I am seeing with multiplication. I just did some additional tests with a variety of precisions. It appears Splunk is using digits of precision and not digits after the decimal point. It doesn't matter where the decimal point is located.

However, for division, I seem to get more digits of precision than any of the input values -- which is probably what I want it to do.

Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...