Splunk Search

using round/floor function

smolcj
Builder

hi all,
i just want to round some values in secs. i tried with round and floor options. but it is not working. i extracted this field by sing MV_ADD option..
please help
thank u

Tags (3)
0 Karma
1 Solution

jonuwz
Influencer

Dirty floor() workaround for multivalued fields

Given these non-integer values

| gentimes start=-1 increment=1h | stats list(eval(starttime/1000)) as times 

run this :

... | eval times=mvjoin(times,";") | rex mode=sed field=times "s/\.[0-9]+//g" | eval times=split(times,";")

This is assuming that the times you have are in epoch format, but should work for other data formats too.

The other alternative is to mvzip up all your multivalued fields into a new field, mvexpand the new field, extract out the time field, perform your floor function on it, then join everything up again.

jonuwz
Influencer

It emulates floor without having to split the values into seperate events

smolcj
Builder

Dirtyfloor? can u explain a little bit

0 Karma

smolcj
Builder

appreciating your effort,, but mvexpand is working only for one multivalue field extraction in one event,, but i have three ..

0 Karma

Ayn
Legend

Perhaps using mvexpand could solve your issue?

0 Karma

smolcj
Builder

i am sorry for this late update,, but if there is only one value per event , then it is working,, wats wrong when extracting multiple values from same event

0 Karma

kristian_kolb
Ultra Champion

The following search will illustrate the different results you can expect from the floor, round and ceil functions. I've used the time as input, since you can easily reproduce the results.

* | head 1 | eval XX = _time / 1000000 | eval floorX = floor(XX) | eval r0X = round(XX,0) | eval r1X = round(XX,1) | eval r3X = round(XX,3) | eval ceilX = ceil(XX) | table XX, floorX, r0X, r1X, r3X, ceilX

/k

0 Karma

smolcj
Builder

index=main source=bbb.txt field1=*| eval btime=round(b1time,2)|table field1 btime b1time
now btime firld is empty
i extracted it using MV_ADD option because all these field value come under one event i.e
[get_b1time]
REGEX=""
MV_ADD=true
it worked fine and b1time valuees are correct.

0 Karma

Ayn
Legend

More details please? How is it not working? What search string are you using?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...