Splunk Search

incorrect use of eval?

FromTheGraves
Engager

Hi, I'm new to Splunk, so I apologize if this question seems naive.

While experimenting with calculated fields, I found some inconsistent results. Consequently, I removed these fields and tested directly in the search.

I'm aware that the syntax I'm using here with eval is not the one specified in the documentation, but I'm using it to simulate the calculated field (and it yields the same results). I've seen this use of eval elsewhere but only for very simple things.

When I run:

stats sum(eval((bytes/(1024*1024)))) as MB

, it works. However, when I run

stats sum(eval(round(bytes/(1024*1024),2))) as MB

I get results, but they are totally inconsistent.

What could be happening? Where is my mistake? (Note that I'm not looking for the correct solution - I already have it - but I want to understand why this syntax doesn't work.)

Thanks.

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Rounding errors?

When you're doing

stats sum(eval(round(bytes/(1024*1024),2))) as MB

You lose some part of the value since you're "cutting off" the part after two decimal digits.

So the error is expected.

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Rounding errors?

When you're doing

stats sum(eval(round(bytes/(1024*1024),2))) as MB

You lose some part of the value since you're "cutting off" the part after two decimal digits.

So the error is expected.

0 Karma

FromTheGraves
Engager

Okay, good point, I must have left my brain somewhere far away...

Indeed, max(bytes) is 47KB and avg is 2KB, less than 1MB!

Thank you all for your responsiveness.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In what way are they inconsistent? (The totals are most likely different due to the rounding)

0 Karma

apietsch
Splunk Employee
Splunk Employee

Interesting... Is it a different result every time you run it or at least the same different results for the same input?

---------------------
Chaos Smoother | Data Wrangler
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...