Splunk Search

## round function doesn't work with timechart but does with table

Contributor

This following doesn't work. I don't see the decimals limiting to two digits.
| eval n=round(var5,2) | timechart span=1d avg(n) as avg_count by host

But when I do this,
| eval n=round(var5,2) | table var5
It works.

I tested that in timechart command neither round nor ceiling function is working.
Any suggestion on how to make it work?
Or something wrong with my Splunk set up.

Tags (1)
1 Solution
Ultra Champion

That's because you are rounding the value in n, but you're not rounding the result of the `avg()` function.

So you need to do:

``````| eval n=round(var5,2) | timechart span=1d eval(round(avg(n),2)) as avg_count by host
``````
Contributor

Could you help how to use ceiling in the same search.

Ultra Champion

Have a look at the search reference for how to use the timechart command. Especially on how to use eval functions: http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Timechart

If you want to apply `ceiling()`, just put that in instead of `round()`. For example (leaving the var5 value as is now, although you can already apply ceiling to that as well if you want):

``````| eval n=var5 | timechart span=1d eval(ceiling(avg(n)) as avg_count by host
``````
Contributor

I tried it. But ceiling function won't work. It says
| eval n=var5 | timechart span=1d eval(ceiling(avg(n)) as avg_count by host
Mismatched quotes and/or parenthesis.

and with this | eval n=var5 | timechart span=1d eval(ceiling(avg(n))) as avg_count by host
The eval expression has no fields: 'ceiling(avg(n))'

Legend

@zacksoft try the following:

``````<yourBaseSearch>
| timechart span=1d eval(avg(var5)) as avg_count by host
| foreach * [eval "<<FIELD>>"=ceiling('<<FIELD>>')]
``````

PS: I have taken out `| eval n=round(var5,2)`

Contributor

@niketnilay : That was awesome. Thank you very very much.

Legend

@zacksoft glad it worked. You can up vote the comment if it helped... Happy Weekend!

