Splunk Search

Why is timechart returning null results if eval returns a value less than 1?

pkeller
Contributor

I'm finding that timechart is returning null results if my number is less than 1.

earliest=-3d latest=-1d sourcetype=foo | timechart span=1h avg(value) as myValue by host

If the overall average of value is less than one ... ie: .2 or .7 etc ... I get a null result in myValue

This works fine for numbers 1 or greater.

I've tried using round, exact, and eval(avg(value)*10) ... I still get null results.

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

 earliest=-3d latest=-1d sourcetype=foo | timechart span=1h avg(tonumber(value)) as myValue by host

View solution in original post

0 Karma

pkeller
Contributor

never mind ... If I change the provided value to 0.2, 0.7 etc ... this works.

0 Karma

woodcock
Esteemed Legend

Try this:

 earliest=-3d latest=-1d sourcetype=foo | timechart span=1h avg(tonumber(value)) as myValue by host
0 Karma

pkeller
Contributor

Thank you ... that didn't quite work, but you pointed me in the right direction ...

earliest=-3d latest=-1d sourcetype=foo | eval number=tonumber(value) | timechart span=1h avg(number) as myValue by host

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...