Splunk Search

Rounding to -2 works but not -3?

kearaspoor
Communicator

Working on a search that will monitor when the searches that populate a summary index run and I'm needing to round the epoch time of when the search started to the closest hour.

| eval runtime=strftime(info_search_time, "%m/%d/%y %H")
Appropriately groups things but doesn't allow me to perform further calculations on the time value
I've also tried re-converting this timestamp to epoch using strptime(runtime,"%s") but it doesn't work unless I include the minute/second details... I haven't figured out how to replace those with zeros.

| eval RUNTIME=round(info_search_time,0)
appropriately removes the numbers to the right of the decimal, leaving just an integer.

To my pleasant surprise, I found that:
| eval RUNTIME=round(info_search_time,-2)
rounds the epoch time to: ########00

But when I try:
| eval RUNTIME=round(info_search_time,-3)
instead of getting #######000, as I'd like, I'm getting -nan

Any idea why rounding to -3 isn't allowed or if there's some other approach I should be trying?

Thank you!

0 Karma
1 Solution

somesoni2
Revered Legend

If all you need is to round the value of info_search_time rounded to hour, use the bucket command.

...| bucket span=1h info_search_time

It'll keep the value in epoch and round/bucket it to hour length.

View solution in original post

woodcock
Esteemed Legend

You should open a support case; I made a comment on the documentation page.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Check out the accepted answer in this post:

https://answers.splunk.com/answers/200468/round-problem.html

I have tested this (see screenshot)

alt text

0 Karma

somesoni2
Revered Legend

If all you need is to round the value of info_search_time rounded to hour, use the bucket command.

...| bucket span=1h info_search_time

It'll keep the value in epoch and round/bucket it to hour length.

View solution in original post

kearaspoor
Communicator

The comment made by somesoni2, recommending the bucket command worked like a charm but I can't accept it as the correct answer because it was posted as a comment. 😞 If it gets moved I'll accept it as a great answer. Thank you!

aaraneta_splunk
Splunk Employee
Splunk Employee

@kearaspoor - I have moved somesoni2's comment to an answer that you can accept. Thanks for leaving that comment saying it helped you 🙂

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!