Splunk Search

limit timechart average values to two places

dang
Path Finder

I'm attempting to look at average free memory in GB on a number of servers (named server01, server02, etc) over time.

Doing this simple query I get the information I'm looking for, and the data is in gigabytes:

eventtype="windows_performance" Host="server*" object="Memory" counter="Available MBytes" |  eval FreeGB=(Value/1024) | timechart span=30m avg(FreeGB) by Host

The problem I'm encountering is that I'd like to present the timecharted values as having only two decimal places, and I can't figure out how. Using "round" in the eval statement [for example eval FreeGB=round((Value/1024),2)] doesn't seem to work.

Any suggestions?

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could roll it all into one eval timechart function:

... | timechart span=30m eval(round(avg(Value)/1024,2)) by Host

That will compute the average, convert to GB, and round to tens of MB.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could roll it all into one eval timechart function:

... | timechart span=30m eval(round(avg(Value)/1024,2)) by Host

That will compute the average, convert to GB, and round to tens of MB.

mattymo
Splunk Employee
Splunk Employee

Just a heads up for anyone trying this, that eval naming is still required. Martin's example does it with the 'by' clause, or you can use the 'AS' to rename.

Won't work:

| timechart span=15m eval(round(avg(RMS_Watts_Tot),2)) 

^^ Error in 'timechart' command: The eval expression 'eval(round(avg(RMS_Watts_Tot),2))' must be renamed.

Works:

| timechart span=15m eval(round(avg(RMS_Watts_Tot),2)) AS watts
| timechart span=15m eval(round(avg(RMS_Watts_Tot),2)) by host
- MattyMo
0 Karma

dang
Path Finder

Thank you, Martin. That was the answer I was looking for.

0 Karma

HiroshiSatoh
Champion

"ROUND" is okay. Do you want to be a display what results? Value Is it a numeric type?Error Is the output to "search.log"?

round((tonumber(Value)/1024),2)

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...