topic Re: Converting bytes to GB or MB in Splunk Search

Converting bytes to GB or MB

pmac22 — Wed, 30 Sep 2020 00:31:55 GMT

Hey all, I was getting confused by some of the splunk answers for converting and couldn't figure out the eval portion of my query. Can someone shed some light on how I can convert the bytes_out field from my palo logs to MB and GB? Query below, thank you in advance!

index=pan_logs sourcetype=pan:traffic
| stats sum(bytes_out) AS bytes_out by user src_ip dest_ip
| where bytes_out>35000000
| sort - bytes_out

Re: Converting bytes to GB or MB

ddrillic — Thu, 16 May 2019 16:54:57 GMT

In the spirit of - | eval GB=kb/1024/1024

Re: Converting bytes to GB or MB

dmarling — Wed, 30 Sep 2020 00:31:58 GMT

@ddrillic has it correct. bytes_out/1024 will get you kilobytes divide that by 1024 to get megabytes and divide that by 1024 to get gigabytes: | eval GB_out=bytes_out/1024/1024/1024 to get megabytes: | eval MB_out=bytes_out/1024/1024

Re: Converting bytes to GB or MB

pmac22 — Thu, 16 May 2019 17:32:38 GMT

That worked out great! Thanks guys!

Re: Converting bytes to GB or MB

dmarling — Thu, 16 May 2019 17:39:09 GMT

@ddrillic You may want to convert your comment to an answer as it was basically the answer he needed. I just added a comment to make it more specific to his use case.

Re: Converting bytes to GB or MB

pmac22 — Wed, 30 Sep 2020 00:32:04 GMT

Thanks guys. Worked like a charm! Here's my updated search...

index=pan_logs sourcetype=pan:traffic
| stats sum(bytes_out) AS bytes_out by user src_ip dest_ip
| where bytes_out>35000000
| eval MB_out=round(bytes_out/1024/1024,2)
| sort - MB_out

Re: Converting bytes to GB or MB

ddrillic — Thu, 16 May 2019 19:26:07 GMT

Sure thing @dmarling ; -)