Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

limit timechart average values to two places

dang
Path Finder
‎07-22-2013 04:29 PM

I'm attempting to look at average free memory in GB on a number of servers (named server01, server02, etc) over time.

Doing this simple query I get the information I'm looking for, and the data is in gigabytes:

eventtype="windows_performance" Host="server*" object="Memory" counter="Available MBytes" |  eval FreeGB=(Value/1024) | timechart span=30m avg(FreeGB) by Host

The problem I'm encountering is that I'd like to present the timecharted values as having only two decimal places, and I can't figure out how. Using "round" in the eval statement [for example eval FreeGB=round((Value/1024),2)] doesn't seem to work.

Any suggestions?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-22-2013 11:53 PM

You could roll it all into one eval timechart function:

... | timechart span=30m eval(round(avg(Value)/1024,2)) by Host

That will compute the average, convert to GB, and round to tens of MB.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-22-2013 11:53 PM

You could roll it all into one eval timechart function:

... | timechart span=30m eval(round(avg(Value)/1024,2)) by Host

That will compute the average, convert to GB, and round to tens of MB.

Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎05-31-2017 04:54 AM

Just a heads up for anyone trying this, that eval naming is still required. Martin's example does it with the 'by' clause, or you can use the 'AS' to rename.

Won't work:

| timechart span=15m eval(round(avg(RMS_Watts_Tot),2))

^^ Error in 'timechart' command: The eval expression 'eval(round(avg(RMS_Watts_Tot),2))' must be renamed.

Works:

| timechart span=15m eval(round(avg(RMS_Watts_Tot),2)) AS watts
| timechart span=15m eval(round(avg(RMS_Watts_Tot),2)) by host
- MattyMo
0 Karma
Reply
Solved! Jump to solution

dang
Path Finder
‎07-23-2013 08:07 AM

Thank you, Martin. That was the answer I was looking for.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎07-22-2013 04:49 PM

"ROUND" is okay. Do you want to be a display what results? Value Is it a numeric type?Error Is the output to "search.log"?

round((tonumber(Value)/1024),2)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...