Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rounding anomaly?

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

echojacques

Builder

03-18-2014
01:15 PM

I'm getting what I believe are strange results when using the round function to control the number of decimal places. This is a search that I have in a dashboard to calculate how much data (in GB) that I have indexed in the last 24 hours:

```
index="_internal" source="*metrics.log" per_index_thruput| eval GB=kb/1024/1024 | stats sum(GB) as total
```

The result of the above search is: 7.8531551056447. I wanted to round to 2 decimal places so I modified the search to use the round function like this:

```
index="_internal" source="*metrics.log" per_index_thruput| eval GB=round((kb/1024/1024),2) | stats sum(GB) as total
```

However, the result of the above search is: 0.15 (instead of 7.85). So, I tried the same search but this time to 3 decimal places like this:

```
index="_internal" source="*metrics.log" per_index_thruput| eval GB=round((kb/1024/1024),3) | stats sum(GB) as total
```

The result of the above search is: 7.21 which is closer to the expected result of 7.85 but still not 100% accurate.

So, I tried 4 decimal places like this:

```
index="_internal" source="*metrics.log" per_index_thruput| eval GB=round((kb/1024/1024),4) | stats sum(GB) as total
```

And the result of the above search is 7.8405 which is almost accurate/correct. But, I don't want 4 decimal places...

What am I doing wrong, why does the search with 2 decimal places return 0.15? Thanks!

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

somesoni2

Revered Legend

03-18-2014
03:17 PM

Try this.

```
index="_internal" source="*metrics.log" per_index_thruput| eval GB=kb/1024/1024 | stats sum(GB) as total | eval sum(GB)=round(sum(GB),2)
```

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

MuS

SplunkTrust

03-18-2014
11:49 PM

This is not yet an answer, just informational: last November we did open a case with support because of this `eval`

example:

```
index=main | eval result=0.2-0 | head 10 | table result
```

This example shows the calculation of 0.2 minus 0, which gives 0.2, looks good so far ... but, when we multiply 0 with 0.1 first, like this:

```
index=main | eval result=0.2-(0*0.1) | head 10 | table result
```

which should end up in 0.2 as well (0 * 0.1 is 0, 0.2 minus 0 is 0.2). But Splunk gives back zero (0) instead.

Update: This will be handled in SPL-76889, eval multiplication with 0.

cheers, MuS

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

somesoni2

Revered Legend

03-20-2014
12:09 PM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

MuS

SplunkTrust

03-20-2014
03:18 AM

update ping

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

echojacques

Builder

03-19-2014
09:10 AM

Interesting, thanks for the info!

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

somesoni2

Revered Legend

03-18-2014
03:17 PM

Try this.

```
index="_internal" source="*metrics.log" per_index_thruput| eval GB=kb/1024/1024 | stats sum(GB) as total | eval sum(GB)=round(sum(GB),2)
```

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

echojacques

Builder

03-19-2014
09:07 AM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

somesoni2

Revered Legend

03-18-2014
09:07 PM

My bad. replace eval stmt with this.

|eval total==round(total,2)

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

echojacques

Builder

03-18-2014
03:32 PM

Thanks but I got the following error when I tried this search:

Error in 'eval' command: The 'sum' function is unsupported or undefined.

Register for .conf21 Now!
Go Vegas or Go Virtual!

Get Updates on the Splunk Community!