Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Math precision

joebensimo
Path Finder
‎09-18-2013 11:10 PM

I am seeing what appears to be inconsistencies in how Splunk does math in eval statements. Most of the time, it appears to be doing floating point math, but I've encountered a number of cases where it is doing something else.

For example:

Given fields p=8.250 and m=0.2, multiplying the values

| eval i = p*m

gives me a resulting value of 2.0 instead of the expected 1.65.

However, if I add the exact function

| eval i = exact(p*m)

Splunk gives me the expected value of 1.65.

In other cases, Splunk appears to be doing floating point multiplication and division without me explicitly using the exact() function.

While rounding up 1.65 to 2.0 isn't a big difference, this creates a huge error when integer math results of many events are summed.

The documentation says:

exact(X) This function evaluates an
expression X using double precision
floating point arithmetic.

So, my questions:

How does Splunk do math when the exact() function is not used? Why do I sometimes get integer results instead of accurate floating point results and other times get floating point result values?

Is the lack of precision documented anywhere other than the one-line description of the exact() function? If it is, I've not yet been able to find it. It seems to me that it is a huge deal to not do floating point math on real numbers without making it abundantly clear that the results are not exact.

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2013 11:45 PM

When you run eval, the final result is rounded to a precision appropriate to the precision of the input results. The precision of the final result can be no greater than the precision of the least-precise input. Note that you will get results expressed differently if you do 8.250 * 0.2 vs 8.250 * 0.20 vs 8.250 * 0.200. This can be problem if by 0.2, you actually mean 0.2 to an arbitrary number of digits of precision. If that is what you mean, then you can express that by using exact(0.2) instead of 0.2.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2013 11:45 PM

When you run eval, the final result is rounded to a precision appropriate to the precision of the input results. The precision of the final result can be no greater than the precision of the least-precise input. Note that you will get results expressed differently if you do 8.250 * 0.2 vs 8.250 * 0.20 vs 8.250 * 0.200. This can be problem if by 0.2, you actually mean 0.2 to an arbitrary number of digits of precision. If that is what you mean, then you can express that by using exact(0.2) instead of 0.2.

Reply
Solved! Jump to solution

joebensimo
Path Finder
‎09-18-2013 11:59 PM

This seems to explain what I am seeing with multiplication. I just did some additional tests with a variety of precisions. It appears Splunk is using digits of precision and not digits after the decimal point. It doesn't matter where the decimal point is located.

However, for division, I seem to get more digits of precision than any of the input values -- which is probably what I want it to do.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...