Refine your search:

Possible eval min bug?

2

Howdy, I've got some very simple data and I'm running the following on it:

index=main sourcetype=something host=something-else.csv \
    | eval minX = min(X1, X2, X3) \
    | timechart span=1day min(X1) min(X2) min(X3) min(minX)

X1,2,3 all range both positive & negative, as well as including decimals.

Oddly, the above always gives the value of X2 for minX. However, if I change it to

index=main sourcetype=something host=something-else.csv \
    | eval minX = min(1000000, X1, X2, X3) \
    | timechart span=1day min(X1) min(X2) min(X3) min(minX)

where 1000000 is some number above all the other numbers, it works as I want it to and selects the minimum value of the 3 fields.

I'm not sure why adding the 4th value should change anything... any ideas?

asked 04 Mar '11, 11:10

vaijpc's gravatar image

vaijpc
1761211
accept rate: 33%

edited 04 Mar '11, 11:17

2 Answers:
oldestnewestmost voted
1

Probably a bug. Try using 

... | eval minX = min(tonumber(X1), tonumber(X2), tonumber(X3)) | ...

instead.

It is likely related to this: http://answers.splunk.com/questions/11523/getting-maximum-value-from-a-series-of-fields-not-working

link

answered 05 Mar '11, 00:10

gkanapathy's gravatar image

gkanapathy ♦
32.6k4827
accept rate: 41%

edited 05 Mar '11, 00:29

Yep this looks to have resolved the issue. Means I don't need to chose an arbitrarily large number as my first field for min() so wahey. Still, min() shouldn't treat individual parameters differently depending on the other parameters should it? I can't seem to find a bugtracker to file this on, are you able to reproduce this? How should I notify 'splunk'?

(07 Mar '11, 12:32) vaijpc
0

One idea, is that in the docs it says that min(X,...) will actually operate on strings as well as numbers. It says specifically that strings sort higher than numbers.

http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions

However timechart and chart will always ignore values that are not numbers.

The difference is somewhat sensible -- timechart and chart, when you're using their numeric functions, are designed to 'graph' and 'chart' things so they silently filter out occasional non-numeric outliers. eval on the other hand is a much more general tool.

So one idea is to use the eval functions isnum() and tonumber() to see what you can find out anything weird about X2.

see if this changes anything -- 

index=main sourcetype=something host=something-else.csv 
| eval x2IsNumber = if(isnum(X2),1,0) | timechart count sum(x2IsNumber) as x2numericCount

and look for places where the second line drops below the count line. If there are any such places you may have your culprit.

link

answered 04 Mar '11, 17:02

sideview's gravatar image

sideview ♦
26.4k4544
accept rate: 47%

I'm afraid the lines were always equal.

(07 Mar '11, 12:30) vaijpc

Well, it was worth a shot. =)

(07 Mar '11, 17:17) sideview ♦

Yup, i guess isnum and eval min() just decide in different ways. Don't suppose you know where I could file a bug?

(08 Mar '11, 09:19) vaijpc

Sure, it's easy. Just send an email to support@splunk.com and they'll file it for you. splunk support is awesome. Say hi from nick. =)

(08 Mar '11, 18:53) sideview ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×248

Asked: 04 Mar '11, 11:10

Seen: 1,119 times

Last updated: 05 Mar '11, 00:29

Related questions

Min, max and average in column totals.

Possible to achieve eval results per host?

Computing average request time with mvcount fields and numerical field values

Calculating fields by groups of events

Search inside Eval if statement possible ?

weirdness using max() and min() in eval, operating on numeric multivalue fields

Transaction on eval field

eval - inconsistent math result

Is it possible to run stats or eval on a multi-valued field?

Copyright © 2005-2012 Splunk Inc. All rights reserved.