Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

round number from max (*) as * and also avg(*) as *

mmouse88
Path Finder
‎06-03-2014 05:40 AM

I have a created a table using timechart with the max #. It generates a row of maximum of sourcetype. How would I round the max # to 0 decimal. Here's my command:

timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as *

timechart sum(eval(quantity/12)) span=1h by sourcetype | stats avg(*) as *

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-03-2014 06:39 AM

How about this?

your base search | eval quantity=round(quantity/12) | timechart sum(quantity) span=1h by sourcetype | stats max(*) as *

Try this:

your base search | timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as * 
| replace *.* with *#* | convert rmunit(*)

*Updated answer*
Don't know why I didn't think of this before. Try this

For max(*) as *

 your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp

For avg(*) as *

your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | stats avg(total) as total by sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-03-2014 06:39 AM

How about this?

your base search | eval quantity=round(quantity/12) | timechart sum(quantity) span=1h by sourcetype | stats max(*) as *

Try this:

your base search | timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as * 
| replace *.* with *#* | convert rmunit(*)

*Updated answer*
Don't know why I didn't think of this before. Try this

For max(*) as *

 your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp

For avg(*) as *

your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | stats avg(total) as total by sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-04-2014 03:38 PM

Excellent both worked. Thank you so much for your dedication

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-04-2014 12:06 PM

See the updated answer. I also updated the previous one to remove _time from final result.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-04-2014 11:42 AM

awesome. it worked. Thank you. can i ask for the second part using avg(*) as *

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-04-2014 11:07 AM

Got another alternative. Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-04-2014 10:45 AM

here are the values:
26 7.666636 7 6 5.583311 3.249987 2.999988 2

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-04-2014 05:51 AM

Can you paste some of the result which it was not able to truncate?

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 05:48 PM

thx. It was able to convert or truncate some values after the decimal. Only 5 values (column 1, 4, 5, 11) had no decimal.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 01:57 PM

Try the updated answer. Note that its not doing the rounding, its just truncating anything after the decimal point.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 11:31 AM

no worries, my fault. i might not of explain it clearly. without the round my query produce the results #.###### (6 decimal places)

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 11:16 AM

Sorry I got confused. Are the values for field quantity less than 6??

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 11:14 AM

precision, do u mean to remove the divide by 12?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 10:59 AM

If you want no decimal places then you don't have to specify the precision (see the syntax in my answer).

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 10:52 AM

if i add to your command: eval quantity=round(quantity/12,1). It gives me one decimal place which is pretty close to what I want. would like 0 decimal places. replace ,1 with 0 then results is all 0s.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 10:49 AM

Can you post your current working query? one with no rounding?

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 10:36 AM

sorry, it didn't work. results produce all 0s

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...