Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Number comparison seems not to be working

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

tommasoscarpa1

Path Finder

07-30-2024
03:46 AM

Hi,

This thing is getting me crazy.

I am running Splunk 9.2.1 and I have the following table:

amount | compare | frac_type | fraction | integer |

0.41 | F | Number | 0.41 | 0 |

4.18 | F | Number | 0.18 | 4 |

0.26 | F | Number | 0.26 | 0 |

0.34 | F | Number | 0.34 | 0 |

10.60 | F | Number | 0.60 | 10 |

0.11 | F | Number | 0.11 | 0 |

2.00 | F | Number | 0.00 | 2 |

3.49 | F | Number | 0.49 | 3 |

10.58 | F | Number | 0.58 | 10 |

2.00 | F | Number | 0.00 | 2 |

1.02 | F | Number | 0.02 | 1 |

15.43 | F | Number | 0.43 | 15 |

1.17 | F | Number | 0.17 | 1 |

And these are the evals I used to calculate the fields:

| eval integer = floor(amount)

| eval fraction = amount - floor(amount)

| eval frac_type = typeof(fraction)

| eval compare = if(fraction = 0.6, "T", "F")

Now, I really can't understand how the "compare" field is always false.... I was expecting it to output TRUE on row 5 with amount = 10.60, which means fraction = 0.6, but it does not.

What am I doing wrong here? Why "compare" evaluates to FALSE on row 5?

I tried to change 0.6 with 0.60 (you never know), but no luck.

If you want you can try this run anywhere search, which gives me the same result:

| makeresults

| eval amount = 10.6

| eval integer = floor(amount)

| eval fraction = amount - floor(amount)

| eval frac_type = typeof(fraction)

| eval compare = if(fraction = 0.6, "T", "F")

Can you help me?

Thank you in advance,

Tommaso

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

tommasoscarpa1

Path Finder

07-30-2024
08:07 AM

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

```
| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")
```

I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

Thank you!

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

PickleRick

SplunkTrust

07-30-2024
04:33 AM

Because... it's Splunk math (I suppose it has something to do with float handling underneath).

See this run-anywhere example

| makeresults count=10

| streamstats count

| map search="|makeresults count=$count$| streamstats count as count2 | eval count=$count$"

| eval count=count/10, count2=count2/10

| eval diff=count-count2

| table count count2 diff

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

tommasoscarpa1

Path Finder

07-30-2024
06:06 AM

I see.

So for Splunk 0.3 - 0.1 equals 0.19999999999 instead of 0.2.

Do you know how can I work around this in my example?

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

PickleRick

SplunkTrust

07-30-2024
07:51 AM

I suppose it's not "for Splunk" but rather it's simply a floating point arithmetics which is not as straightforward as we are used to.

You could simply manipulate numbers being 1 or 2 orders of magnitude bigger than your "real" values so that you operate on integers.

This is a common problem with floating-point arithmetics - numbers are not what they seem (or seems they should be).

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

tommasoscarpa1

Path Finder

07-30-2024
08:07 AM

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

```
| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")
```

I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

Thank you!

Get Updates on the Splunk Community!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Hi Splunk Community,
Splunk Platform has set a great foundation for your security operations. With the ...

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...