Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rounding to -2 works but not -3?

kearaspoor
SplunkTrust
SplunkTrust
‎05-17-2017 12:22 PM

Working on a search that will monitor when the searches that populate a summary index run and I'm needing to round the epoch time of when the search started to the closest hour.

| eval runtime=strftime(info_search_time, "%m/%d/%y %H")
Appropriately groups things but doesn't allow me to perform further calculations on the time value
I've also tried re-converting this timestamp to epoch using strptime(runtime,"%s") but it doesn't work unless I include the minute/second details... I haven't figured out how to replace those with zeros.

| eval RUNTIME=round(info_search_time,0)
appropriately removes the numbers to the right of the decimal, leaving just an integer.

To my pleasant surprise, I found that:
| eval RUNTIME=round(info_search_time,-2)
rounds the epoch time to: ########00

But when I try:
| eval RUNTIME=round(info_search_time,-3)
instead of getting #######000, as I'd like, I'm getting -nan

Any idea why rounding to -3 isn't allowed or if there's some other approach I should be trying?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2017 12:27 PM

If all you need is to round the value of info_search_time rounded to hour, use the bucket command.

...| bucket span=1h info_search_time

It'll keep the value in epoch and round/bucket it to hour length.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-17-2017 01:38 PM

You should open a support case; I made a comment on the documentation page.

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-17-2017 01:15 PM

Check out the accepted answer in this post:

https://answers.splunk.com/answers/200468/round-problem.html

I have tested this (see screenshot)

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-17-2017 12:27 PM

If all you need is to round the value of info_search_time rounded to hour, use the bucket command.

...| bucket span=1h info_search_time

It'll keep the value in epoch and round/bucket it to hour length.

Reply
Solved! Jump to solution

kearaspoor
SplunkTrust
SplunkTrust
‎05-17-2017 01:27 PM

The comment made by somesoni2, recommending the bucket command worked like a charm but I can't accept it as the correct answer because it was posted as a comment. 😞 If it gets moved I'll accept it as a great answer. Thank you!

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎05-17-2017 02:03 PM

@kearaspoor - I have moved somesoni2's comment to an answer that you can accept. Thanks for leaving that comment saying it helped you 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...