Splunk Search
Highlighted

rounding streamstats output to 2 decimal places

Path Finder

I'm creating a simple table to show the success rate of an event. I've got the following statement in my splunk search

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | sort -_time limit=15 | fields _time rate average

The streamstats information is currently shown out to 6 decimal places, which is unnecessary. I can't seem to find the correct syntax to display the streamstats data with only two decimal points. Can anyone demonstrate how to do this properly?

Tags (1)
0 Karma
Highlighted

Re: rounding streamstats output to 2 decimal places

Builder

You have the round command before the streamstats, copying it after should give you what you want.

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | eval average=round(average,2)| sort -_time limit=15 | fields _time rate average

Bob

0 Karma
Highlighted

Re: rounding streamstats output to 2 decimal places

Path Finder

Bob, I'm still trying to get this to work. It seems the streamstats is not "streaming", in that I'm getting the same value for both (the average and streamed) fields. Did you intend to define "average" with two eval statements, or should they use different names?

0 Karma
Highlighted

Re: rounding streamstats output to 2 decimal places

SplunkTrust
SplunkTrust

I think the problem is the by _time ? Having that there will make streamstats only do the average calculation for the events that are within the given event's exact second. Therefore if all the events in the set happen at different _time values, the "average" and the values themselves will always be the same.

Also not sure what the sort clause was doing there, since streamstats wont alter the sort order at all and the events will already be in descending time order.

<splunk search stuff defining Success and Attempt> | streamstats avg(rate) as average | eval rate=round((Success*100)/Attempt,2) | fields _time rate average

0 Karma