Solved: Number comparison seems not to be working

tommasoscarpa1 · ‎07-30-2024

Hi,

This thing is getting me crazy.

I am running Splunk 9.2.1 and I have the following table:

amount	compare	frac_type	fraction	integer
0.41	F	Number	0.41	0
4.18	F	Number	0.18	4
0.26	F	Number	0.26	0
0.34	F	Number	0.34	0
10.60	F	Number	0.60	10
0.11	F	Number	0.11	0
2.00	F	Number	0.00	2
3.49	F	Number	0.49	3
10.58	F	Number	0.58	10
2.00	F	Number	0.00	2
1.02	F	Number	0.02	1
15.43	F	Number	0.43	15
1.17	F	Number	0.17	1

And these are the evals I used to calculate the fields:

| eval integer = floor(amount)
| eval fraction = amount - floor(amount)
| eval frac_type = typeof(fraction)
| eval compare = if(fraction = 0.6, "T", "F")

Now, I really can't understand how the "compare" field is always false.... I was expecting it to output TRUE on row 5 with amount = 10.60, which means fraction = 0.6, but it does not.

What am I doing wrong here? Why "compare" evaluates to FALSE on row 5?

I tried to change 0.6 with 0.60 (you never know), but no luck.

If you want you can try this run anywhere search, which gives me the same result:

Can you help me?

Thank you in advance,

Tommaso

tommasoscarpa1 · ‎07-30-2024

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")

I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

Thank you!

View solution in original post

PickleRick · ‎07-30-2024

Because... it's Splunk math (I suppose it has something to do with float handling underneath).

See this run-anywhere example

| makeresults count=10
| streamstats count 
| map search="|makeresults count=$count$| streamstats count as count2 | eval count=$count$"
| eval count=count/10, count2=count2/10
| eval diff=count-count2
| table count count2 diff

tommasoscarpa1 · ‎07-30-2024

I see.

So for Splunk 0.3 - 0.1 equals 0.19999999999 instead of 0.2.

Do you know how can I work around this in my example?

PickleRick · ‎07-30-2024

I suppose it's not "for Splunk" but rather it's simply a floating point arithmetics which is not as straightforward as we are used to.

You could simply manipulate numbers being 1 or 2 orders of magnitude bigger than your "real" values so that you operate on integers.

This is a common problem with floating-point arithmetics - numbers are not what they seem (or seems they should be).

tommasoscarpa1 · ‎07-30-2024

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")

I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

Thank you!

Number comparison seems not to be working

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation