Splunk Search

Rounding to -2 works but not -3?

kearaspoor
Communicator

Working on a search that will monitor when the searches that populate a summary index run and I'm needing to round the epoch time of when the search started to the closest hour.

| eval runtime=strftime(info_search_time, "%m/%d/%y %H")
Appropriately groups things but doesn't allow me to perform further calculations on the time value
I've also tried re-converting this timestamp to epoch using strptime(runtime,"%s") but it doesn't work unless I include the minute/second details... I haven't figured out how to replace those with zeros.

| eval RUNTIME=round(info_search_time,0)
appropriately removes the numbers to the right of the decimal, leaving just an integer.

To my pleasant surprise, I found that:
| eval RUNTIME=round(info_search_time,-2)
rounds the epoch time to: ########00

But when I try:
| eval RUNTIME=round(info_search_time,-3)
instead of getting #######000, as I'd like, I'm getting -nan

Any idea why rounding to -3 isn't allowed or if there's some other approach I should be trying?

Thank you!

0 Karma
1 Solution

somesoni2
Revered Legend

If all you need is to round the value of info_search_time rounded to hour, use the bucket command.

...| bucket span=1h info_search_time

It'll keep the value in epoch and round/bucket it to hour length.

View solution in original post

woodcock
Esteemed Legend

You should open a support case; I made a comment on the documentation page.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Check out the accepted answer in this post:

https://answers.splunk.com/answers/200468/round-problem.html

I have tested this (see screenshot)

alt text

0 Karma

somesoni2
Revered Legend

If all you need is to round the value of info_search_time rounded to hour, use the bucket command.

...| bucket span=1h info_search_time

It'll keep the value in epoch and round/bucket it to hour length.

kearaspoor
Communicator

The comment made by somesoni2, recommending the bucket command worked like a charm but I can't accept it as the correct answer because it was posted as a comment. 😞 If it gets moved I'll accept it as a great answer. Thank you!

aaraneta_splunk
Splunk Employee
Splunk Employee

@kearaspoor - I have moved somesoni2's comment to an answer that you can accept. Thanks for leaving that comment saying it helped you 🙂

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...