Splunk Search

Splunk/eval ignores real numbers less than 1.0

nysoitsmiket
Explorer

Splunk seems to be ignoring numbers less than 1.0 regardless of incoming precision. If my tField value is 1.000 or greater the math works just fine. But if it is less than 1.000 the eval function treats it as if it were 0.0 (or NULL?)

(REMOVED MY ATTEMPT TO SHOW SPLUNK OUTPUT AS A TABLE). I am trying to runs streamstats on a set of log records with millisecond-accurate entries for the completion of a task. Each includes the task run time expressed as seconds to up to 4 decimal places (my "tField"). When I try to compute the accurate start time of a task, any task that lasts more than a second computes accurately. Every task that lasts less than a second results in no values for computed fields. For example:

Timestamp = 11:34:08.707

if the tField = 1.001, I can subtract it from the _time value (1401982448.707)

and get the correct result (1401982447.706)
Same timestamp, next entry in the log:

the tField value = .2426 (log file does not include a leading 0) no computed fields

are produced and I only have the _time value (1401982448.707) for that record.

I have experimented with all kinds of permutations of using the exact function and nothing seems to work. The function that produced this output is:

eval t_ms=exact(_time)*1000.0|eval tX_ms=exact(tField)*1000.0|eval t0_ms=exact(t_ms)-exact(tX_ms)| sort 0 _time |table _time tField tX_ms t0_ms t_ms

I have an image of the output but I don't have enough Karma to upload it.

Tags (3)
0 Karma

nysoitsmiket
Explorer

Workaround by adding a leading "0" to every instance of tField.

0 Karma

nysoitsmiket
Explorer

Is this a bug or a design decision (and missed or missing documentation)?

0 Karma

nysoitsmiket
Explorer

Sorry about the wierd attempt to show the output as a table. Meanwhile, I have a workaround. (tried answering my own question but the site threw a 500 error.)

The real problem turns out to be that Splunk is failing to convert a real number that starts with the decimal point. I was able to get by this by adding a leading "0" to every instance of tField.

0 Karma

lguinn2
Legend

Sorry, but the first few lines of this are impossible to read...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...