Solved: Re: Number comparison seems not to be working

tommasoscarpa1 · ‎07-30-2024

Hi,

This thing is getting me crazy.

I am running Splunk 9.2.1 and I have the following table:

amount	compare	frac_type	fraction	integer
0.41	F	Number	0.41	0
4.18	F	Number	0.18	4
0.26	F	Number	0.26	0
0.34	F	Number	0.34	0
10.60	F	Number	0.60	10
0.11	F	Number	0.11	0
2.00	F	Number	0.00	2
3.49	F	Number	0.49	3
10.58	F	Number	0.58	10
2.00	F	Number	0.00	2
1.02	F	Number	0.02	1
15.43	F	Number	0.43	15
1.17	F	Number	0.17	1

And these are the evals I used to calculate the fields:

| eval integer = floor(amount)
| eval fraction = amount - floor(amount)
| eval frac_type = typeof(fraction)
| eval compare = if(fraction = 0.6, "T", "F")

Now, I really can't understand how the "compare" field is always false.... I was expecting it to output TRUE on row 5 with amount = 10.60, which means fraction = 0.6, but it does not.

What am I doing wrong here? Why "compare" evaluates to FALSE on row 5?

I tried to change 0.6 with 0.60 (you never know), but no luck.

If you want you can try this run anywhere search, which gives me the same result:

Can you help me?

Thank you in advance,

Tommaso

tommasoscarpa1 · ‎07-30-2024

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")

I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

Thank you!

View solution in original post

PickleRick · ‎07-30-2024

Because... it's Splunk math (I suppose it has something to do with float handling underneath).

See this run-anywhere example

| makeresults count=10
| streamstats count 
| map search="|makeresults count=$count$| streamstats count as count2 | eval count=$count$"
| eval count=count/10, count2=count2/10
| eval diff=count-count2
| table count count2 diff

tommasoscarpa1 · ‎07-30-2024

I see.

So for Splunk 0.3 - 0.1 equals 0.19999999999 instead of 0.2.

Do you know how can I work around this in my example?

PickleRick · ‎07-30-2024

I suppose it's not "for Splunk" but rather it's simply a floating point arithmetics which is not as straightforward as we are used to.

You could simply manipulate numbers being 1 or 2 orders of magnitude bigger than your "real" values so that you operate on integers.

This is a common problem with floating-point arithmetics - numbers are not what they seem (or seems they should be).

tommasoscarpa1 · ‎07-30-2024

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")

I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

Thank you!

Number comparison seems not to be working

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?