Splunk Search

Getting maximum value from a series of fields - not working

msarro
Builder

Hey everyone. I've got a box with numerous CPU cores, and each has its own field. I need to find the maximum value of those fields. So far I have attempted:

|eval MAX_CPU=max(CPU_CORE_0_SLOT_0_USAGE,CPU_CORE_1_SLOT_0_USAGE,CPU_CORE_1024_SLOT_0_USAGE,CPU_CORE_1025_SLOT_0_USAGE,CPU_CORE_0_SLOT_1_USAGE,CPU_CORE_1_SLOT_1_USAGE,CPU_CORE_1024_SLOT_1_USAGE,CPU_CORE_1025_SLOT_1_USAGE)

But the returned values in MAX_CPU seem to be wholly arbitrary. They're contained in the sets of fields, but they're not correct.

I have also tried creating field aliases for all of the CPU USAGE fields (calling the alias CPU_USAGE). The value of max(CPU_USAGE) is always 1 or 2, even though there are CPU values far higher.

Some help would be greatly appreciated, thanks!

Tags (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Based on other answers and some testing, it looks like there is indeed a bug in max().

A workaround appears to be to wrap the variables in tonumber():

| stats count | eval g=234 | eval h=12 
| eval badmax=max(g,h) 
| eval goodmax=max(tonumber(g),tonumber(h))

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Based on other answers and some testing, it looks like there is indeed a bug in max().

A workaround appears to be to wrap the variables in tonumber():

| stats count | eval g=234 | eval h=12 
| eval badmax=max(g,h) 
| eval goodmax=max(tonumber(g),tonumber(h))

Marklar
Splunk Employee
Splunk Employee

Gerald is correct. From eval's perspective, every field value is considered to be both of string and numeric type, to allow for flexibility in the operations. The max() function was designed to allow for taking the maximum of mixed types, with strings being greater than numbers.

The bug here is the numeric type should take precedence if we can parse the value as a number. This will be fixed. But for now you can do something to ensure that the field value is numeric, such as using tonumber()

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

my guess is that it's doing comparisons as a string when it sees a variable name (vs a literal number) in the arguments.

0 Karma

msarro
Builder

That workaround works fantastically. I'm guessing there may be an issue with how max handles numbers? Maybe it sees them as strings occasionally?

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

I receive the same results. Support ticket filed.

ftk
Motivator

Hmm, I wonder if there is a bug with max()?

I did this test:

* | head 1 | eval blah=234 | eval foo=30 | eval maxx=max(blah,foo) | table maxx foo blah

And get the following result:

maxx  foo  blah
30    30   234

When maxx should definitely be 234. If you have enterprise support, I recommend putting in a support request for your issue.

HattrickNZ_2
Engager

using splunk version 5.0.1, build 143156 I get
maxx foo blah
234 30 234
so this work on my version

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...