Solved: How to display summed results that are less than 1...

tapptress · ‎08-04-2016

I have values in a field that, when summed, are values less than 1 (ie, .79 .03). I need these values to display in my table, but they currently do not. I assume it is because they are a value less than 1. They display when they aren't summed, so is there a way to format a summed value so it will display these smaller values?

somesoni2 · ‎08-15-2016

Seems like the value .03 is not recognized as proper decimal number. Give this a try

| eval Duration=if(substr(Duration,1,1)=".","0".Duration,Duration) | stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor | convert num(Duration) |stats sum(Duration) as Duration by Sensor

View solution in original post

somesoni2 · ‎08-15-2016

Seems like the value .03 is not recognized as proper decimal number. Give this a try

| eval Duration=if(substr(Duration,1,1)=".","0".Duration,Duration) | stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor | convert num(Duration) |stats sum(Duration) as Duration by Sensor

tapptress · ‎08-16-2016

Thanks. This appears to have worked. Really appreciate it!

twinspop · ‎08-04-2016

Splunk does not round or truncate numbers by default in any situations I'm aware of. Can you provide sample logs, searches and results?

richgalloway · ‎08-04-2016

Using round or exact in your eval may help. Show us your query for a better answer.

---
If this reply helps you, Karma would be appreciated.

tapptress · ‎08-15-2016

I'm basically just summing duration times for a particular device outage

|stats sum(Duration) as Duration by Sensor -- my search returns 3 values to sum [.03, 4.75, and 7.24] -- the result is 11.99, it seems to be ignoring the .03 value

somesoni2 · ‎08-15-2016

Can you run this and share results (for the Sensor you're seeing issue)

your base search | table Sensor Duration | appendpipe [|stats sum(Duration) as Duration by Sensor]

tapptress · ‎08-15-2016

I have all of that
base search, I did stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor |appendpipe [|stats sum(Duration) as Duration by Sensor]

I get everything I want with the exception of any duration that is less than 1 is ignored. How do I get the sum functions to add the 0.something values?

somesoni2 · ‎08-15-2016

I'm guessing the number format could be the issue here. Could you try this

stats list(RFO) as RFO, list (DAYSOUT) as Duration, list(count) as COUNT, sum(count) as total tickets by sensor | convert num(Duration) |appendpipe [|stats sum(Duration) as Duration by Sensor]

tapptress · ‎08-15-2016

Same result. 11.99 when it should be 12.02

How to display summed results that are less than 1 in a table?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life