Hi All,
There are a lot of percentage questions on this forum but I already know how percentages work but the Eval doesn't seem to work. I will explain.
Here is my search query:
sourcetype="Test" | reverse | delta TimeStamp AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval counter=round(timeDeltaS / 900) | eval to_add=if(counter > 1, (counter - 1), 0) | accum to_add as total_count | eval counter=1 | accum counter as max_count | eval perc=((max_count - total_count) / max_count) | stats max(perc), max(total_count), max(max_count), count(FilesOpen)
Which returns:
max(perc) max(total_count) max(max_count) count(FilesOpen)
1.000000 1 226 226
As you can see, the perc field is not returning a percentage, it is essentially 100%, but should be around 99% not 100%. However, when I swap total_count with an actual number,
sourcetype="Test" | reverse | delta TimeStamp AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval counter=round(timeDeltaS / 900) | eval to_add=if(counter > 1, (counter - 1), 0) | accum to_add as total_count | eval counter=1 | accum counter as max_count | eval perc=((max_count - 1) / max_count) | stats max(perc), max(total_count), max(max_count), count(FilesOpen)
I get this:
max(perc) max(total_count) max(max_count) count(FilesOpen)
0.995633 1 229 229
Any ideas?
Isn't total_count 0?
perc=((max_count - total_count) / max_count)
first:1-0/1=1.000000
last:226-1/226=0.995575
perc=((max_count - 1) / max_count)
first:1-1/1=0.000000
last:229-1/229=0.995633
I do not think that there is a bug in the calculation of the number of significant digits of SPLUNK.
(I want you to check all the lines here)
sourcetype="Test" | reverse | delta TimeStamp AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval counter=round(timeDeltaS / 900) | eval to_add=if(counter > 1, (counter - 1), 0) | accum to_add as total_count | eval counter=1 | accum counter as max_count | eval perc=((max_count - total_count) / max_count)
I know the math points to total_count being equal to 0 but Splunk reports it as being equal to 1. Hence my confusion.