Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

numeric field with thousand separator - stats doesn't interpret as numeric, timechart does

grundsch
Communicator
‎09-12-2012 07:27 AM

I stumbled on a very strange behavior of stats versus timechart when trying to interpret an extracted numerical field.
The field in question contains "," as 1000 separators, so stats consider it as text, and will not calculate any sum or avg.
On the other hand, timechart is happy to get rid of the "," and makes a nice sum.

here's a quick demo of the effect:

* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in | streamstats sum(in)

_time                       in      sum(in)
1   12/09/2012 16:18:23.000 0       0
2   12/09/2012 16:18:23.000 1,000   0
3   12/09/2012 16:18:23.000 2,000   0
4   12/09/2012 16:18:23.000 4,000   0

and now with timechart:

* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in | timechart bins=2 sum(in)

_time                       sum(in)
1   12/09/2012 00:00:00.000 7000

Funny, isn't it?

  • Has anyone an explanation?
  • Is there a way to tell splunk to interpret a field as numeric and get rid of 1000 separators? (tonumber() is not clever enough)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-12-2012 07:35 AM

Remove the commas before piping to the stats command by using convert's rmcomma function.

rmcomma()
Syntax: rmcomma(<wc-field>) 
Description: Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-12-2012 07:35 AM

Remove the commas before piping to the stats command by using convert's rmcomma function.

rmcomma()
Syntax: rmcomma(<wc-field>) 
Description: Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert

Reply
Solved! Jump to solution

grundsch
Communicator
‎09-12-2012 07:58 AM

rock'n roll, it's working! also with auto:
* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in |convert auto(in) | streamstats sum(in)

I suppose that timechart is applying auto() by default.
Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...