Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

numeric field with thousand separator - stats doesn't interpret as numeric, timechart does

grundsch
Communicator
‎09-12-2012 07:27 AM

I stumbled on a very strange behavior of stats versus timechart when trying to interpret an extracted numerical field.
The field in question contains "," as 1000 separators, so stats consider it as text, and will not calculate any sum or avg.
On the other hand, timechart is happy to get rid of the "," and makes a nice sum.

here's a quick demo of the effect:

* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in | streamstats sum(in)

_time                       in      sum(in)
1   12/09/2012 16:18:23.000 0       0
2   12/09/2012 16:18:23.000 1,000   0
3   12/09/2012 16:18:23.000 2,000   0
4   12/09/2012 16:18:23.000 4,000   0

and now with timechart:

* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in | timechart bins=2 sum(in)

_time                       sum(in)
1   12/09/2012 00:00:00.000 7000

Funny, isn't it?

  • Has anyone an explanation?
  • Is there a way to tell splunk to interpret a field as numeric and get rid of 1000 separators? (tonumber() is not clever enough)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-12-2012 07:35 AM

Remove the commas before piping to the stats command by using convert's rmcomma function.

rmcomma()
Syntax: rmcomma(<wc-field>) 
Description: Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-12-2012 07:35 AM

Remove the commas before piping to the stats command by using convert's rmcomma function.

rmcomma()
Syntax: rmcomma(<wc-field>) 
Description: Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert

Reply
Solved! Jump to solution

grundsch
Communicator
‎09-12-2012 07:58 AM

rock'n roll, it's working! also with auto:
* |head 1| eval in="0;1,000;2,000;4,000"| makemv delim=";" in| mvexpand in | table _time in |convert auto(in) | streamstats sum(in)

I suppose that timechart is applying auto() by default.
Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...