Splunk Search

Possible eval min bug?

Communicator

Howdy, I've got some very simple data and I'm running the following on it:

``````index=main sourcetype=something host=something-else.csv
| eval minX = min(X1, X2, X3)
| timechart span=1day min(X1) min(X2) min(X3) min(minX)
``````

`X1`, `X2`, `X3` all range both positive & negative, as well as including decimals.

Oddly, the above always gives the value of `X2` for `minX`. However, if I change it to

``````index=main sourcetype=something host=something-else.csv
| eval minX = min(1000000, X1, X2, X3)
| timechart span=1day min(X1) min(X2) min(X3) min(minX)
``````

where 1000000 is some number above all the other numbers, it works as I want it to and selects the minimum value of the 3 fields.
I'm not sure why adding the 4th value should change anything... any ideas?

Tags (1)
1 Solution
Splunk Employee

Probably a bug. Try using

``````... | eval minX = min(tonumber(X1), tonumber(X2), tonumber(X3)) | ...
``````

It is likely related to this: http://answers.splunk.com/questions/11523/getting-maximum-value-from-a-series-of-fields-not-working

Splunk Employee

Probably a bug. Try using

``````... | eval minX = min(tonumber(X1), tonumber(X2), tonumber(X3)) | ...
``````

It is likely related to this: http://answers.splunk.com/questions/11523/getting-maximum-value-from-a-series-of-fields-not-working

Communicator

Yep this looks to have resolved the issue. Means I don't need to chose an arbitrarily large number as my first field for min() so wahey. Still, min() shouldn't treat individual parameters differently depending on the other parameters should it? I can't seem to find a bugtracker to file this on, are you able to reproduce this? How should I notify 'splunk'?

SplunkTrust

One idea, is that in the docs it says that min(X,...) will actually operate on strings as well as numbers. It says specifically that strings sort higher than numbers.

http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions

However timechart and chart will always ignore values that are not numbers.

The difference is somewhat sensible -- timechart and chart, when you're using their numeric functions, are designed to 'graph' and 'chart' things so they silently filter out occasional non-numeric outliers. eval on the other hand is a much more general tool.

So one idea is to use the eval functions isnum() and tonumber() to see what you can find out anything weird about X2.

see if this changes anything --

``````index=main sourcetype=something host=something-else.csv
| eval x2IsNumber = if(isnum(X2),1,0) | timechart count sum(x2IsNumber) as x2numericCount
``````

and look for places where the second line drops below the count line. If there are any such places you may have your culprit.

SplunkTrust

Sure, it's easy. Just send an email to support@splunk.com and they'll file it for you. splunk support is awesome. Say hi from nick. 😃

Communicator

Yup, i guess isnum and eval min() just decide in different ways. Don't suppose you know where I could file a bug?

SplunkTrust

Well, it was worth a shot. 😃

Communicator

I'm afraid the lines were always equal.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...