- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Modulus in Splunk is faulty in my occasion
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fellow splunkers,
recently i deployed WinPrintMon inputs to our printserver, to check driver versions and found out that splunk falsly calculated modulus.
Tested in Enterprise 9.3.2 and 9.4.0
in the calculated version i found out, that the revision of a driver differs from the printmanagement on that printserver directly.
i calculate the revision like that: version % pow(2,16)
In my case the calculation translates to
17171305019303231 % 65536
splunk calculates 25920 which isn't correct, it is 25919
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested further and its not the modulus calculation, its how splunk handling high numbers.
This search shows that if a number (only tested Integer) has 17 digits or more, odd numbers will turned even.
The field odd_highest_correct_len_16 in the makeresults search is the highest correct odd i achieved whith working digit for digit from left to right.
If the last digit of odd_highest_correct_len_16 is get set to 3, splunk will make a 2 out of that.
| makeresults
| fields - _time
| eval odd_correct_len_16=1000000000000001, odd_highest_correct_len_16=9007199254740991, odd_incorrect_len_17=10000000000000001
I'm going to file a support case for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested further and its not the modulus calculation, its how splunk handling high numbers.
This search shows that if a number (only tested Integer) has 17 digits or more, odd numbers will turned even.
The field odd_highest_correct_len_16 in the makeresults search is the highest correct odd i achieved whith working digit for digit from left to right.
If the last digit of odd_highest_correct_len_16 is get set to 3, splunk will make a 2 out of that.
| makeresults
| fields - _time
| eval odd_correct_len_16=1000000000000001, odd_highest_correct_len_16=9007199254740991, odd_incorrect_len_17=10000000000000001
I'm going to file a support case for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @TheEggi98
That is very odd! Its not something I also see the same issue you are getting (Splunk returning 25920.
I would suggest filing a support case (https://www.splunk.com/en_us/about-splunk/contact-us.html#customer-support) and raise this so that a bug can be raised internally.
Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards
Will
Fueling your curiosity with new Splunk ILT and eLearning courses
Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...
Unleash Unified Security and Observability with Splunk Cloud Platform
