Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rounding in chart with by clause

cmeo
Contributor
‎06-01-2017 06:36 AM

I've just encountered a strange thing that doesn't seem to be covered by an Answer or the docs.
If I have a chart command without a 'by' clause, the standard method of rounding works:

[search]| chart avg(thruput_hr) as Thruput over "Run Date"  | eval Thruput=round(Thruput,2)

Results:
04/13 19.20
04/15 36.32
04/16 47.18
etc. as expected.

but if I add a by clause, it doesn't:

[search]| chart avg(thruput_hr) as Thruput over "Run Date" by year | eval Thruput=round(Thruput,2)

Results:
04/13 19.2

04/15 41.538461538 31.099
04/16 59.19 35.17241379

04/17 40.434782609 32.09
etc.

Is this WAD and I missed something, or is there a bug? Is there a way to do the rounding I want with chart?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎06-01-2017 06:45 AM

If you check the statistics tab after adding by clause you will notice that there is no field called "Thruput". You can round off all fields this way.

[search]| chart avg(thruput_hr) over "Run Date" by year | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]

View solution in original post

Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎06-01-2017 06:45 AM

If you check the statistics tab after adding by clause you will notice that there is no field called "Thruput". You can round off all fields this way.

[search]| chart avg(thruput_hr) over "Run Date" by year | foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]
Reply
Solved! Jump to solution

cmeo
Contributor
‎06-01-2017 06:57 AM

Yeah thought it might be something like that because I did notice that 'Thruput' wasn't listed. Interesting though, that it can be rounded even though it's hiding. Well, that's show business.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...