Splunk Search

When using "stats max ()", why is the result truncated?

yutaka1005
Builder

My environment:
Splunk 7.2.3

When I do the following search, the result is truncated.

search-1

| makeresults count=1
| eval num="123456789123456789123456789" 
| stats max(num)

result-1

max(num)
123456789123456790000000000

search-2

| makeresults count=2 
| eval num="123456789123456789123456789" 
| eval num2=num+num

result-2

num2
246913578246913580000000000

How can I avoid this?

0 Karma
1 Solution

woodcock
Esteemed Legend

You cannot. You must ask Splunk for a new feature by filing a P0 support case which is how they handle Enhancement Requests. Do not get your hopes up. The problem is that Splunk (and, to be fair, many, many other software tools) have a smaller than expected mantissa. See here for some background:
https://en.wikipedia.org/wiki/Significant_figures

P.S. We sometimes joke mockingly about this, and other similar quirks as #SplunkMath.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You cannot. You must ask Splunk for a new feature by filing a P0 support case which is how they handle Enhancement Requests. Do not get your hopes up. The problem is that Splunk (and, to be fair, many, many other software tools) have a smaller than expected mantissa. See here for some background:
https://en.wikipedia.org/wiki/Significant_figures

P.S. We sometimes joke mockingly about this, and other similar quirks as #SplunkMath.

0 Karma

yutaka1005
Builder

Thank you for Answer.

I hope that this limit value will be expanded someday...
For now, I will consider another way to calculate.

0 Karma

HiroshiSatoh
Champion

扱える数値に上限があるってことだよね?
eval num="123456789123456789123456789"
これは文字列として代入しているから値が入るけど
eval num=123456789123456789123456789
数値として入れたら値はおかしくなる。MAXだからというわけではない。

そういうものとして扱うしかないんじゃないかと思う。

Cのlong型(x64)のサイズもダメみたいなので制限値はよくわからないですね。
LONG_MAX 9223372036854775807 long 最大値
LONG_MIN -9223372036854775808 long 最小値

0 Karma

yutaka1005
Builder

確かにダブルクオートで囲まないと、そもそも切り捨てられちゃいますね…。

数値型のデータに関して、限界桁数みたいなものがあるのか

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...