Solved: Re: Getting maximum value from a series of fields ...

msarro · ‎02-09-2011

Hey everyone. I've got a box with numerous CPU cores, and each has its own field. I need to find the maximum value of those fields. So far I have attempted:

|eval MAX_CPU=max(CPU_CORE_0_SLOT_0_USAGE,CPU_CORE_1_SLOT_0_USAGE,CPU_CORE_1024_SLOT_0_USAGE,CPU_CORE_1025_SLOT_0_USAGE,CPU_CORE_0_SLOT_1_USAGE,CPU_CORE_1_SLOT_1_USAGE,CPU_CORE_1024_SLOT_1_USAGE,CPU_CORE_1025_SLOT_1_USAGE)

But the returned values in MAX_CPU seem to be wholly arbitrary. They're contained in the sets of fields, but they're not correct.

I have also tried creating field aliases for all of the CPU USAGE fields (calling the alias CPU_USAGE). The value of max(CPU_USAGE) is always 1 or 2, even though there are CPU values far higher.

Some help would be greatly appreciated, thanks!

gkanapathy · ‎02-09-2011

Based on other answers and some testing, it looks like there is indeed a bug in max().

A workaround appears to be to wrap the variables in tonumber():

| stats count | eval g=234 | eval h=12 
| eval badmax=max(g,h) 
| eval goodmax=max(tonumber(g),tonumber(h))

View solution in original post

gkanapathy · ‎02-09-2011

Based on other answers and some testing, it looks like there is indeed a bug in max().

A workaround appears to be to wrap the variables in tonumber():

| stats count | eval g=234 | eval h=12 
| eval badmax=max(g,h) 
| eval goodmax=max(tonumber(g),tonumber(h))

Marklar · ‎02-22-2011

Gerald is correct. From eval's perspective, every field value is considered to be both of string and numeric type, to allow for flexibility in the operations. The max() function was designed to allow for taking the maximum of mixed types, with strings being greater than numbers.

The bug here is the numeric type should take precedence if we can parse the value as a number. This will be fixed. But for now you can do something to ensure that the field value is numeric, such as using tonumber()

gkanapathy · ‎02-09-2011

my guess is that it's doing comparisons as a string when it sees a variable name (vs a literal number) in the arguments.

msarro · ‎02-09-2011

That workaround works fantastically. I'm guessing there may be an issue with how max handles numbers? Maybe it sees them as strings occasionally?

Ron_Naken · ‎02-09-2011

I receive the same results. Support ticket filed.

ftk · ‎02-09-2011

Hmm, I wonder if there is a bug with max()?

I did this test:

* | head 1 | eval blah=234 | eval foo=30 | eval maxx=max(blah,foo) | table maxx foo blah

And get the following result:

maxx  foo  blah
30    30   234

When maxx should definitely be 234. If you have enterprise support, I recommend putting in a support request for your issue.

HattrickNZ_2 · ‎12-19-2012

using splunk version 5.0.1, build 143156 I get
maxx foo blah
234 30 234
so this work on my version

Getting maximum value from a series of fields - not working

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases