Solved: Re: Possible eval min bug?

vaijpc · ‎03-04-2011

Howdy, I've got some very simple data and I'm running the following on it:

index=main sourcetype=something host=something-else.csv
| eval minX = min(X1, X2, X3)
| timechart span=1day min(X1) min(X2) min(X3) min(minX)

X1, X2, X3 all range both positive & negative, as well as including decimals.

Oddly, the above always gives the value of X2 for minX. However, if I change it to

index=main sourcetype=something host=something-else.csv
| eval minX = min(1000000, X1, X2, X3)
| timechart span=1day min(X1) min(X2) min(X3) min(minX)

where 1000000 is some number above all the other numbers, it works as I want it to and selects the minimum value of the 3 fields.
I'm not sure why adding the 4th value should change anything... any ideas?

gkanapathy · ‎03-05-2011

Probably a bug. Try using

... | eval minX = min(tonumber(X1), tonumber(X2), tonumber(X3)) | ...

instead.

It is likely related to this: http://answers.splunk.com/questions/11523/getting-maximum-value-from-a-series-of-fields-not-working

View solution in original post

gkanapathy · ‎03-05-2011

Probably a bug. Try using

... | eval minX = min(tonumber(X1), tonumber(X2), tonumber(X3)) | ...

instead.

It is likely related to this: http://answers.splunk.com/questions/11523/getting-maximum-value-from-a-series-of-fields-not-working

vaijpc · ‎03-07-2011

Yep this looks to have resolved the issue. Means I don't need to chose an arbitrarily large number as my first field for min() so wahey. Still, min() shouldn't treat individual parameters differently depending on the other parameters should it? I can't seem to find a bugtracker to file this on, are you able to reproduce this? How should I notify 'splunk'?

sideview · ‎03-04-2011

One idea, is that in the docs it says that min(X,...) will actually operate on strings as well as numbers. It says specifically that strings sort higher than numbers.

http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions

However timechart and chart will always ignore values that are not numbers.

The difference is somewhat sensible -- timechart and chart, when you're using their numeric functions, are designed to 'graph' and 'chart' things so they silently filter out occasional non-numeric outliers. eval on the other hand is a much more general tool.

So one idea is to use the eval functions isnum() and tonumber() to see what you can find out anything weird about X2.

see if this changes anything --

index=main sourcetype=something host=something-else.csv 
| eval x2IsNumber = if(isnum(X2),1,0) | timechart count sum(x2IsNumber) as x2numericCount

and look for places where the second line drops below the count line. If there are any such places you may have your culprit.

sideview · ‎03-08-2011

Sure, it's easy. Just send an email to support@splunk.com and they'll file it for you. splunk support is awesome. Say hi from nick. 😃

vaijpc · ‎03-08-2011

Yup, i guess isnum and eval min() just decide in different ways. Don't suppose you know where I could file a bug?

sideview · ‎03-07-2011

Well, it was worth a shot. 😃

vaijpc · ‎03-07-2011

I'm afraid the lines were always equal.

Possible eval min bug?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases