Solved: Rounding anomaly?

echojacques · ‎03-18-2014

I'm getting what I believe are strange results when using the round function to control the number of decimal places. This is a search that I have in a dashboard to calculate how much data (in GB) that I have indexed in the last 24 hours:

index="_internal" source="*metrics.log" per_index_thruput| eval GB=kb/1024/1024 | stats sum(GB) as total

The result of the above search is: 7.8531551056447. I wanted to round to 2 decimal places so I modified the search to use the round function like this:

index="_internal" source="*metrics.log" per_index_thruput| eval GB=round((kb/1024/1024),2) | stats sum(GB) as total

However, the result of the above search is: 0.15 (instead of 7.85). So, I tried the same search but this time to 3 decimal places like this:

index="_internal" source="*metrics.log" per_index_thruput| eval GB=round((kb/1024/1024),3) | stats sum(GB) as total

The result of the above search is: 7.21 which is closer to the expected result of 7.85 but still not 100% accurate.

So, I tried 4 decimal places like this:

index="_internal" source="*metrics.log" per_index_thruput| eval GB=round((kb/1024/1024),4) | stats sum(GB) as total

And the result of the above search is 7.8405 which is almost accurate/correct. But, I don't want 4 decimal places...

What am I doing wrong, why does the search with 2 decimal places return 0.15? Thanks!

somesoni2 · ‎03-18-2014

Try this.

index="_internal" source="*metrics.log" per_index_thruput| eval GB=kb/1024/1024 | stats sum(GB) as total | eval sum(GB)=round(sum(GB),2)

View solution in original post

MuS · ‎03-18-2014

This is not yet an answer, just informational: last November we did open a case with support because of this eval example:

index=main | eval result=0.2-0 | head 10 | table result

This example shows the calculation of 0.2 minus 0, which gives 0.2, looks good so far ... but, when we multiply 0 with 0.1 first, like this:

index=main | eval result=0.2-(0*0.1) | head 10 | table result

which should end up in 0.2 as well (0 * 0.1 is 0, 0.2 minus 0 is 0.2). But Splunk gives back zero (0) instead.

Update: This will be handled in SPL-76889, eval multiplication with 0.

cheers, MuS

somesoni2 · ‎03-20-2014

Very interesting. It seems Splunk is rounding off "0.2" to integer (0 decimal) and thus giving 0. Used "0.5" or "0.45" gave me 1.

MuS · ‎03-20-2014

update ping

echojacques · ‎03-19-2014

Interesting, thanks for the info!

somesoni2 · ‎03-18-2014

Try this.

index="_internal" source="*metrics.log" per_index_thruput| eval GB=kb/1024/1024 | stats sum(GB) as total | eval sum(GB)=round(sum(GB),2)

echojacques · ‎03-19-2014

The |eval total=round(total,2) works great and doesn't have the same problem as my original search. Thanks!

somesoni2 · ‎03-18-2014

My bad. replace eval stmt with this.

|eval total==round(total,2)

echojacques · ‎03-18-2014

Thanks but I got the following error when I tried this search:

Error in 'eval' command: The 'sum' function is unsupported or undefined.

Rounding anomaly?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM