- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I divide by zero in splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I divide by zero in splunk?
I was having trouble evaluating a field and I think it was because I was dividing by zero.
This is my solution.
Hope fully it is self explainatory.
Have I understodd this correctly? Have you got a better one/solution?
| makeresults
| eval data = "
1-Sep 657 34 0;
2-Sep 434 34 0;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
| fields + Date kpi1 kpi2 kpi3 | fields - _time
| eval kpi4=kpi2/kpi3 | rename comment as "kpi4 column will not show up because kpi3 = zero"
| eval kpi5=if(kpi3=0,"",kpi2/kpi3) | rename comment as "kpi5 column will show up because I handle the kpi3=zero and return blank" |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your understanding is correct. But I'm not a big fan of "blank" or null, so may be better to evaluate it to a "NotDefined" or a negative integer to make it easier for outcome searches.
And also good to have fillnull for each fields you extract just in case.
| makeresults
| eval data = "
1-Sep 657 34 0;
2-Sep 434 34 0;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
| fields + Date kpi1 kpi2 kpi3 | fields - _time
| eval kpi4=kpi2/kpi3 | rename comment as "kpi4 column will not show up because kpi3 = zero"
| eval kpi5=if(kpi3=0,"NotDefined",kpi2/kpi3) | rename comment as "kpi5 column will show up because I handle the kpi3=zero and return NotDefined"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks good to me 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have understood it correctly, if the eval fails, it will return null for that evaluation. If all the evals return null for a field, then that field doesn't exist. Your idea for KPI5 is a good way of handling it.
This docs page explains eval, and under the General heading it confirms that division by zero results in a null value:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#General
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
