Splunk Search

rounding streamstats output to 2 decimal places

dang
Path Finder

I'm creating a simple table to show the success rate of an event. I've got the following statement in my splunk search

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | sort -_time limit=15 | fields _time rate average

The streamstats information is currently shown out to 6 decimal places, which is unnecessary. I can't seem to find the correct syntax to display the streamstats data with only two decimal points. Can anyone demonstrate how to do this properly?

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

I think the problem is the by _time ? Having that there will make streamstats only do the average calculation for the events that are within the given event's exact second. Therefore if all the events in the set happen at different _time values, the "average" and the values themselves will always be the same.

Also not sure what the sort clause was doing there, since streamstats wont alter the sort order at all and the events will already be in descending time order.

<splunk search stuff defining Success and Attempt> | streamstats avg(rate) as average | eval rate=round((Success*100)/Attempt,2) | fields _time rate average

0 Karma

BobM
Builder

You have the round command before the streamstats, copying it after should give you what you want.

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | eval average=round(average,2)| sort -_time limit=15 | fields _time rate average

Bob

0 Karma

dang
Path Finder

Bob, I'm still trying to get this to work. It seems the streamstats is not "streaming", in that I'm getting the same value for both (the average and streamed) fields. Did you intend to define "average" with two eval statements, or should they use different names?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk Life | Splunk is Officially Part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint. Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...