Splunk Search

rounding streamstats output to 2 decimal places

dang
Path Finder

I'm creating a simple table to show the success rate of an event. I've got the following statement in my splunk search

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | sort -_time limit=15 | fields _time rate average

The streamstats information is currently shown out to 6 decimal places, which is unnecessary. I can't seem to find the correct syntax to display the streamstats data with only two decimal points. Can anyone demonstrate how to do this properly?

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

I think the problem is the by _time ? Having that there will make streamstats only do the average calculation for the events that are within the given event's exact second. Therefore if all the events in the set happen at different _time values, the "average" and the values themselves will always be the same.

Also not sure what the sort clause was doing there, since streamstats wont alter the sort order at all and the events will already be in descending time order.

<splunk search stuff defining Success and Attempt> | streamstats avg(rate) as average | eval rate=round((Success*100)/Attempt,2) | fields _time rate average

0 Karma

BobM
Builder

You have the round command before the streamstats, copying it after should give you what you want.

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | eval average=round(average,2)| sort -_time limit=15 | fields _time rate average

Bob

0 Karma

dang
Path Finder

Bob, I'm still trying to get this to work. It seems the streamstats is not "streaming", in that I'm getting the same value for both (the average and streamed) fields. Did you intend to define "average" with two eval statements, or should they use different names?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...