Splunk Search

## round number from max (*) as * and also avg(*) as *

Path Finder

I have a created a table using timechart with the max #. It generates a row of maximum of sourcetype. How would I round the max # to 0 decimal. Here's my command:

timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as *

timechart sum(eval(quantity/12)) span=1h by sourcetype | stats avg(*) as *

Tags (3)
1 Solution
Revered Legend

``````your base search | eval quantity=round(quantity/12) | timechart sum(quantity) span=1h by sourcetype | stats max(*) as *
``````

Try this:

``````your base search | timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as *
| replace *.* with *#* | convert rmunit(*)
``````

Don't know why I didn't think of this before. Try this

For max(*) as *

`````` your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp
``````

For avg(*) as *

``````your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | stats avg(total) as total by sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp
``````
Revered Legend

``````your base search | eval quantity=round(quantity/12) | timechart sum(quantity) span=1h by sourcetype | stats max(*) as *
``````

Try this:

``````your base search | timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as *
| replace *.* with *#* | convert rmunit(*)
``````

Don't know why I didn't think of this before. Try this

For max(*) as *

`````` your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp
``````

For avg(*) as *

``````your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | stats avg(total) as total by sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp
``````
Path Finder

Excellent both worked. Thank you so much for your dedication

Revered Legend

See the updated answer. I also updated the previous one to remove _time from final result.

Path Finder

awesome. it worked. Thank you. can i ask for the second part using avg(*) as *

Revered Legend

Got another alternative. Try the updated answer.

Path Finder

here are the values:
26 7.666636 7 6 5.583311 3.249987 2.999988 2

Revered Legend

Can you paste some of the result which it was not able to truncate?

Path Finder

thx. It was able to convert or truncate some values after the decimal. Only 5 values (column 1, 4, 5, 11) had no decimal.

Revered Legend

Try the updated answer. Note that its not doing the rounding, its just truncating anything after the decimal point.

Path Finder

no worries, my fault. i might not of explain it clearly. without the round my query produce the results #.###### (6 decimal places)

Revered Legend

Sorry I got confused. Are the values for field quantity less than 6??

Path Finder

precision, do u mean to remove the divide by 12?

Revered Legend

If you want no decimal places then you don't have to specify the precision (see the syntax in my answer).

Path Finder

if i add to your command: eval quantity=round(quantity/12,1). It gives me one decimal place which is pretty close to what I want. would like 0 decimal places. replace ,1 with 0 then results is all 0s.

Revered Legend

Can you post your current working query? one with no rounding?

Path Finder

sorry, it didn't work. results produce all 0s

Get Updates on the Splunk Community!

#### Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

#### .conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

#### Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...