Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rounding streamstats output to 2 decimal places

dang
Path Finder
‎08-22-2011 08:51 AM

I'm creating a simple table to show the success rate of an event. I've got the following statement in my splunk search 

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | sort -_time limit=15 | fields _time rate average

The streamstats information is currently shown out to 6 decimal places, which is unnecessary. I can't seem to find the correct syntax to display the streamstats data with only two decimal points. Can anyone demonstrate how to do this properly?

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎08-22-2011 12:22 PM

I think the problem is the by _time ? Having that there will make streamstats only do the average calculation for the events that are within the given event's exact second. Therefore if all the events in the set happen at different _time values, the "average" and the values themselves will always be the same.

Also not sure what the sort clause was doing there, since streamstats wont alter the sort order at all and the events will already be in descending time order.

<splunk search stuff defining Success and Attempt> | streamstats avg(rate) as average | eval rate=round((Success*100)/Attempt,2) | fields _time rate average

0 Karma
Reply

BobM
Builder
‎08-22-2011 09:37 AM

You have the round command before the streamstats, copying it after should give you what you want.

<splunk search stuff defining Success and Attempt> | eval rate=round((Success*100)/Attempt,2) | streamstats avg(rate) as average by _time | eval average=round(average,2)| sort -_time limit=15 | fields _time rate average

Bob

0 Karma
Reply

dang
Path Finder
‎08-22-2011 10:10 AM

Bob, I'm still trying to get this to work. It seems the streamstats is not "streaming", in that I'm getting the same value for both (the average and streamed) fields. Did you intend to define "average" with two eval statements, or should they use different names?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...