Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

round number from max (*) as * and also avg(*) as *

mmouse88
Path Finder
‎06-03-2014 05:40 AM

I have a created a table using timechart with the max #. It generates a row of maximum of sourcetype. How would I round the max # to 0 decimal. Here's my command:

timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as *

timechart sum(eval(quantity/12)) span=1h by sourcetype | stats avg(*) as *

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-03-2014 06:39 AM

How about this?

your base search | eval quantity=round(quantity/12) | timechart sum(quantity) span=1h by sourcetype | stats max(*) as *

Try this:

your base search | timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as * 
| replace *.* with *#* | convert rmunit(*)

*Updated answer*
Don't know why I didn't think of this before. Try this

For max(*) as *

 your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp

For avg(*) as *

your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | stats avg(total) as total by sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-03-2014 06:39 AM

How about this?

your base search | eval quantity=round(quantity/12) | timechart sum(quantity) span=1h by sourcetype | stats max(*) as *

Try this:

your base search | timechart sum(eval(quantity/12)) span=1h by sourcetype | stats max(*) as * 
| replace *.* with *#* | convert rmunit(*)

*Updated answer*
Don't know why I didn't think of this before. Try this

For max(*) as *

 your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp

For avg(*) as *

your base search | bucket span=1h _time  | stats  sum(eval(quantity/12)) as total by _time, sourcetype | stats avg(total) as total by sourcetype | eval total=round(total) | eval temp=1| chart first(total) as total  over temp by sourcetype | fields - temp
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-04-2014 03:38 PM

Excellent both worked. Thank you so much for your dedication

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-04-2014 12:06 PM

See the updated answer. I also updated the previous one to remove _time from final result.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-04-2014 11:42 AM

awesome. it worked. Thank you. can i ask for the second part using avg(*) as *

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-04-2014 11:07 AM

Got another alternative. Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-04-2014 10:45 AM

here are the values:
26 7.666636 7 6 5.583311 3.249987 2.999988 2

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-04-2014 05:51 AM

Can you paste some of the result which it was not able to truncate?

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 05:48 PM

thx. It was able to convert or truncate some values after the decimal. Only 5 values (column 1, 4, 5, 11) had no decimal.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 01:57 PM

Try the updated answer. Note that its not doing the rounding, its just truncating anything after the decimal point.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 11:31 AM

no worries, my fault. i might not of explain it clearly. without the round my query produce the results #.###### (6 decimal places)

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 11:16 AM

Sorry I got confused. Are the values for field quantity less than 6??

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 11:14 AM

precision, do u mean to remove the divide by 12?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 10:59 AM

If you want no decimal places then you don't have to specify the precision (see the syntax in my answer).

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 10:52 AM

if i add to your command: eval quantity=round(quantity/12,1). It gives me one decimal place which is pretty close to what I want. would like 0 decimal places. replace ,1 with 0 then results is all 0s.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-03-2014 10:49 AM

Can you post your current working query? one with no rounding?

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎06-03-2014 10:36 AM

sorry, it didn't work. results produce all 0s

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...