Solved: How to round a number when displaying results in a...

navd · ‎08-20-2018

I am trying to display the response times of services for the last 7 days in a chart , but I want to round the response time .
for example I only want 2 digits to be displayed after decimal .

My query :-

| chart avg(response_time) over services by Date
| foreach * [eval response_time = round(response_time,2)]

But the above query doesn't work for me

niketn · ‎08-20-2018

@navd while using foreach as a template you would need to use <<FIELD>> to replace template value for eval. Since you have used chart ... over services by Date. Your first column will be services and other Columns would be Date field. Following is what you can try

<yourBaseSearch>
| chart avg(response_time) over services by Date
| rename * as avg_*
| rename avg_services as services 
| foreach avg_* [eval "<<FIELD>>"= round('<<FIELD>>',2)]
| rename avg_* as *

Following is a run anywhere search example based on Splunk's _internal index similar to your query:

index=_internal sourcetype=splunkd
| chart avg(date_second) as date_second by component date_hour
| rename * as avg_*
| rename avg_component as component
| foreach avg* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
| rename avg_* as *

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-20-2018

@navd while using foreach as a template you would need to use <<FIELD>> to replace template value for eval. Since you have used chart ... over services by Date. Your first column will be services and other Columns would be Date field. Following is what you can try

<yourBaseSearch>
| chart avg(response_time) over services by Date
| rename * as avg_*
| rename avg_services as services 
| foreach avg_* [eval "<<FIELD>>"= round('<<FIELD>>',2)]
| rename avg_* as *

Following is a run anywhere search example based on Splunk's _internal index similar to your query:

index=_internal sourcetype=splunkd
| chart avg(date_second) as date_second by component date_hour
| rename * as avg_*
| rename avg_component as component
| foreach avg* [| eval "<<FIELD>>"=round('<<FIELD>>',2)]
| rename avg_* as *

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

navd · ‎08-20-2018

This worked for me , but is there a way to sort the result in asc or desc order ?

niketn · ‎08-20-2018

@navd your Date field is String time so sorting would depend on what Date field looks like... for example

YYYY/MM/DD format date will get sorted correctly however DD/MM/YYYY will not. So you might have to apply Serial number to your Date field before Chart and remove the same after Chart command.

For us to assist you better, you will need to provide Date field sample values and also current output vs expected output result.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

navd · ‎08-20-2018

I am using this | eval Date=strftime(_time, "%Y-%m-%d") to display the Date as YYYY/MM/DD

navd · ‎09-07-2018

@niketnilay so with the above query my output looks something like below one . Now want to actually display these responsetime values in asc or desc order , so how do I sort them

2018-09-07

165565
125
44664646.23
1.1

How to round a number when displaying results in a chart?

2018-09-07

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk