- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Percentage Eval
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Percentage Eval
Hi All,
There are a lot of percentage questions on this forum but I already know how percentages work but the Eval doesn't seem to work. I will explain.
Here is my search query:
sourcetype="Test" | reverse | delta TimeStamp AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval counter=round(timeDeltaS / 900) | eval to_add=if(counter > 1, (counter - 1), 0) | accum to_add as total_count | eval counter=1 | accum counter as max_count | eval perc=((max_count - total_count) / max_count) | stats max(perc), max(total_count), max(max_count), count(FilesOpen)
Which returns:
max(perc) max(total_count) max(max_count) count(FilesOpen)
1.000000 1 226 226
As you can see, the perc field is not returning a percentage, it is essentially 100%, but should be around 99% not 100%. However, when I swap total_count with an actual number,
sourcetype="Test" | reverse | delta TimeStamp AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval counter=round(timeDeltaS / 900) | eval to_add=if(counter > 1, (counter - 1), 0) | accum to_add as total_count | eval counter=1 | accum counter as max_count | eval perc=((max_count - 1) / max_count) | stats max(perc), max(total_count), max(max_count), count(FilesOpen)
I get this:
max(perc) max(total_count) max(max_count) count(FilesOpen)
0.995633 1 229 229
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Isn't total_count 0?
perc=((max_count - total_count) / max_count)
first:1-0/1=1.000000
last:226-1/226=0.995575
perc=((max_count - 1) / max_count)
first:1-1/1=0.000000
last:229-1/229=0.995633
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not think that there is a bug in the calculation of the number of significant digits of SPLUNK.
(I want you to check all the lines here)
sourcetype="Test" | reverse | delta TimeStamp AS timeDeltaS p=1 | eval timeDeltaS=abs(timeDeltaS) | eval counter=round(timeDeltaS / 900) | eval to_add=if(counter > 1, (counter - 1), 0) | accum to_add as total_count | eval counter=1 | accum counter as max_count | eval perc=((max_count - total_count) / max_count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know the math points to total_count being equal to 0 but Splunk reports it as being equal to 1. Hence my confusion.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
