- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- When using "stats max ()", why is the result trunc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My environment:
Splunk 7.2.3
When I do the following search, the result is truncated.
search-1
| makeresults count=1
| eval num="123456789123456789123456789"
| stats max(num)
result-1
max(num)
123456789123456790000000000
search-2
| makeresults count=2
| eval num="123456789123456789123456789"
| eval num2=num+num
result-2
num2
246913578246913580000000000
How can I avoid this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot. You must ask Splunk for a new feature by filing a P0 support case which is how they handle Enhancement Requests. Do not get your hopes up. The problem is that Splunk (and, to be fair, many, many other software tools) have a smaller than expected mantissa. See here for some background:
https://en.wikipedia.org/wiki/Significant_figures
P.S. We sometimes joke mockingly about this, and other similar quirks as #SplunkMath.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot. You must ask Splunk for a new feature by filing a P0 support case which is how they handle Enhancement Requests. Do not get your hopes up. The problem is that Splunk (and, to be fair, many, many other software tools) have a smaller than expected mantissa. See here for some background:
https://en.wikipedia.org/wiki/Significant_figures
P.S. We sometimes joke mockingly about this, and other similar quirks as #SplunkMath.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for Answer.
I hope that this limit value will be expanded someday...
For now, I will consider another way to calculate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
扱える数値に上限があるってことだよね?
eval num="123456789123456789123456789"
これは文字列として代入しているから値が入るけど
eval num=123456789123456789123456789
数値として入れたら値はおかしくなる。MAXだからというわけではない。
そういうものとして扱うしかないんじゃないかと思う。
Cのlong型(x64)のサイズもダメみたいなので制限値はよくわからないですね。
LONG_MAX 9223372036854775807 long 最大値
LONG_MIN -9223372036854775808 long 最小値
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
確かにダブルクオートで囲まないと、そもそも切り捨てられちゃいますね…。
数値型のデータに関して、限界桁数みたいなものがあるのか
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
