Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I round to the nearest half with the eval command?

tkwaller_2
Communicator
‎09-18-2018 09:46 AM

Hello,

I have some values that are in the format of : 0, 0.5, 1, 1.5, 2, 2.5, 3, 3.5, 4, 4.5, 5

I am trying to find that average and only want whole and half numbers so nothing like 1.7 only avg's like 1, 2.5, 4, 3.5 etc.

I thought maybe if I multiplied by 2 and then divided that by the count and then again in half that would work but its not quite right.

|eval tmpscore=(score * 2)
|eval "Maturity Level"=round(((tmpscore/count)/2),1)

"score" being the sum of all the values of a field
Any ideas how I could get this type of rounding to work?

Thanks as always

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 10:33 AM

How about this as a starting point?

| makeresults 
| eval calculated_average_score = 1.74 
| eval tmp_score = calculated_average_score*2 
| eval round_tmp_score = round(tmp_score) 
| eval final_round_calculated_average_score = round_tmp_score / 2

View solution in original post

Reply
Solved! Jump to solution
Solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 10:33 AM

How about this as a starting point?

| makeresults 
| eval calculated_average_score = 1.74 
| eval tmp_score = calculated_average_score*2 
| eval round_tmp_score = round(tmp_score) 
| eval final_round_calculated_average_score = round_tmp_score / 2
Reply
Solved! Jump to solution

tkwaller_2
Communicator
‎09-18-2018 11:44 AM

I tried this but I still get the same results

|eval tmpscore=(score * 2)
|eval tmpscore=round(tmpscore)
|eval "Maturity Level"=((tmpscore/count)/2)

I still get values like:

1.3333333333333333  
2   
2.1666666666666665
1.5
1.625
3
1.75
1.8
0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 12:05 PM

Another fuller example this time using the same field names (without count)

| makeresults count=10 
| eval value = (random()%100)/5
| stats avg(value) as score
| eval tmpscore=(score * 2)
| eval tmpscore=round(tmpscore)
| eval "Maturity Level"= tmpscore/2
0 Karma
Reply
Solved! Jump to solution

tkwaller_2
Communicator
‎09-18-2018 12:10 PM

yep, edited again and got the results I was looking for, thanks again!

0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 12:12 PM

No worries, thanks for accepting the answer

0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 11:54 AM

Does the SPL this answer provide work? It looks like you've tried to combine it into a single line and not done a like for like conversion. The SPL provided in this answer assumes you are converting an already calculated average (so you don't need count).

0 Karma
Reply
Solved! Jump to solution

msivill_splunk
Splunk Employee
Splunk Employee
‎09-18-2018 12:02 PM

A fuller example with average calculation.

| makeresults count=10 
| eval value = (random()%100)/5
| stats avg(value) as calculated_average_score
| eval tmp_score = calculated_average_score*2 
| eval round_tmp_score = round(tmp_score) 
| eval final_round_calculated_average_score = round_tmp_score / 2
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...