Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Number comparison seems not to be working

tommasoscarpa1
Path Finder
‎07-30-2024 03:46 AM

Hi,

 

This thing is getting me crazy.

I am running Splunk 9.2.1 and I have the following table:

amountcomparefrac_typefractioninteger
0.41FNumber0.410
4.18FNumber0.184
0.26FNumber0.260
0.34FNumber0.340
10.60FNumber0.6010
0.11FNumber0.110
2.00FNumber0.002
3.49FNumber0.493
10.58FNumber0.5810
2.00FNumber0.002
1.02FNumber0.021
15.43FNumber0.4315
1.17FNumber0.171

 

And these are the evals I used to calculate the fields:

| eval integer = floor(amount)
| eval fraction = amount - floor(amount)
| eval frac_type = typeof(fraction)
| eval compare = if(fraction = 0.6, "T", "F")

 

Now, I really can't understand how the "compare" field is always false.... I was expecting it to output TRUE on row 5 with amount = 10.60, which means fraction = 0.6, but it does not.

What am I doing wrong here? Why "compare" evaluates to FALSE on row 5?

I tried to change 0.6 with 0.60 (you never know), but no luck.

 

If you want you can try this run anywhere search, which gives me the same result:

 

| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = amount - floor(amount)
| eval frac_type = typeof(fraction)
| eval compare = if(fraction = 0.6, "T", "F")

 

Can you help me?

 

 

Thank you in advance,

Tommaso

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tommasoscarpa1
Path Finder
‎07-30-2024 08:07 AM

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")



I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

 

Thank you!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-30-2024 04:33 AM

Because... it's Splunk math (I suppose it has something to do with float handling underneath).

See this run-anywhere example

| makeresults count=10
| streamstats count 
| map search="|makeresults count=$count$| streamstats count as count2 | eval count=$count$"
| eval count=count/10, count2=count2/10
| eval diff=count-count2
| table count count2 diff

 

Reply
Solved! Jump to solution

tommasoscarpa1
Path Finder
‎07-30-2024 06:06 AM

I see.

So for Splunk 0.3 - 0.1 equals 0.19999999999 instead of 0.2.

Do you know how can I work around this in my example?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-30-2024 07:51 AM

I suppose it's not "for Splunk" but rather it's simply a floating point arithmetics which is not as straightforward as we are used to.

You could simply manipulate numbers being 1 or 2 orders of magnitude bigger than your "real" values so that you operate on integers.

This is a common problem with floating-point arithmetics - numbers are not what they seem (or seems they should be).

Reply
Solved! Jump to solution
Solution

tommasoscarpa1
Path Finder
‎07-30-2024 08:07 AM

Thank you @PickleRick for your answer.

Eventually I worked around the problem like this:

| makeresults
| eval amount = 10.6
| eval integer = floor(amount)
| eval fraction = round(amount - floor(amount), 2)
| eval compare = if(fraction = 0.6, "T", "F")



I simply rounded the floating point number to some decimal places.

I tested also your example and this solves this problem (that is not actually a problem as you suggested).

 

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...