Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

numeric field with thousand separator - stats doesn't interpret as numeric, timechart does

grundsch
Communicator
‎09-12-2012 07:27 AM

I stumbled on a very strange behavior of stats versus timechart when trying to interpret an extracted numerical field.
The field in question contains "," as 1000 separators, so stats consider it as text, and will not calculate any sum or avg.
On the other hand, timechart is happy to get rid of the "," and makes a nice sum.

here's a quick demo of the effect:

* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in | streamstats sum(in)

_time                       in      sum(in)
1   12/09/2012 16:18:23.000 0       0
2   12/09/2012 16:18:23.000 1,000   0
3   12/09/2012 16:18:23.000 2,000   0
4   12/09/2012 16:18:23.000 4,000   0

and now with timechart:

* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in | timechart bins=2 sum(in)

_time                       sum(in)
1   12/09/2012 00:00:00.000 7000

Funny, isn't it?

  • Has anyone an explanation?
  • Is there a way to tell splunk to interpret a field as numeric and get rid of 1000 separators? (tonumber() is not clever enough)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-12-2012 07:35 AM

Remove the commas before piping to the stats command by using convert's rmcomma function.

rmcomma()
Syntax: rmcomma(<wc-field>) 
Description: Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-12-2012 07:35 AM

Remove the commas before piping to the stats command by using convert's rmcomma function.

rmcomma()
Syntax: rmcomma(<wc-field>) 
Description: Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert

Reply
Solved! Jump to solution

grundsch
Communicator
‎09-12-2012 07:58 AM

rock'n roll, it's working! also with auto:
* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in |convert auto(in) | streamstats sum(in)

I suppose that timechart is applying auto() by default.
Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...