https://community.splunk.com/t5/Splunk-Search/Converting-variable-File-Size-Units-with-dot-points-to-bytes/m-p/567535#M197791 <P data-unlink="true">Thanks for the quick response - using <A href="https://convertlive.com/u/convert/kilobytes/to/bytes" target="_self">this website</A>&nbsp;the conversions are accurate.&nbsp;</P><P data-unlink="true">Here is a link to the app in development:&nbsp;<A href="https://github.com/satiex/splunk_synology_TA" target="_blank">https://github.com/satiex/splunk_synology_TA</A>&nbsp;</P><P data-unlink="true">Does anyone know how I can get these conversions to happen at index time? I've tried a few things with the props.conf and transforms.conf without any luck.</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">Here is an example of a log event:</P><LI-CODE lang="markup">Sep 19 13:19:54 172.17.0.1 Sep 19 13:19:54 SYN-NAS WinFileService Event: read, Path: /Shows/TV Show/Season 1/Episode 1 - Pilot.mkv, File/Folder: File, Size: 1.23 GB, User: john.smith@ldap.local.com, IP: 192.168.1.59</LI-CODE><P data-unlink="true">And here is the REGEX in the transforms.conf:</P><LI-CODE lang="markup">[synology_ft_basefields] REGEX = \sWinFileService Event:\s(?&lt;action&gt;create|write|read|delete|rename),\sPath:\s(?&lt;path&gt;.+?(?=,)),\sFile\/Folder:\s(?&lt;file_folder&gt;File|Folder),\sSize:\s(?&lt;sizeValue&gt;[\d.]+)\s?(?&lt;sizeUnit&gt;\w*),\sUser:\s(?&lt;user&gt;[^\,]*),\sIP:\s(?&lt;src_ip&gt;[[ipv4]])</LI-CODE><P data-unlink="true">&nbsp;</P> Sun, 19 Sep 2021 05:48:44 GMT satiex 2021-09-19T05:48:44Z https://community.splunk.com/t5/Splunk-Search/Converting-variable-File-Size-Units-with-dot-points-to-bytes/m-p/567497#M197774 <P>Hi there,</P><P>I am building a Synology Splunk TA to share with the community. In the logs, file sizes can be presented in many different units:</P><P>&nbsp;</P><LI-CODE lang="markup">1.72 KB 2.35 KB 0 Bytes 75.08 KB 243.00 KB 18.62 MB 261.62 KB 48.60 GB</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I've been stuck trying to convert all of these values to bytes.</P><P><A href="https://community.splunk.com/t5/Splunk-Search/Convert-B-KB-MB-GB-into-bytes-without-a-unit/m-p/283585" target="_self">This post</A> was really helpful in using regex and eval statements, but does not consider the added complexity of have decimal places.</P><P>Any assistance is appreciated and will be credited in the App.</P> Sat, 18 Sep 2021 04:25:49 GMT https://community.splunk.com/t5/Splunk-Search/Converting-variable-File-Size-Units-with-dot-points-to-bytes/m-p/567497#M197774 satiex 2021-09-18T04:25:49Z https://community.splunk.com/t5/Splunk-Search/Converting-variable-File-Size-Units-with-dot-points-to-bytes/m-p/567504#M197777 <LI-CODE lang="markup">| makeresults | eval _raw="1.72 KB 2.35 KB 0 Bytes 75.08 KB 243.00 KB 18.62 MB 261.62 KB 48.60 GB" | multikv noheader=t | rex "^(?&lt;Value&gt;[\d.]+)\s?(?&lt;Unit&gt;\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) | eval InBytes=Value*factor | table _raw InBytes</LI-CODE> Sat, 18 Sep 2021 09:32:44 GMT https://community.splunk.com/t5/Splunk-Search/Converting-variable-File-Size-Units-with-dot-points-to-bytes/m-p/567504#M197777 ITWhisperer 2021-09-18T09:32:44Z https://community.splunk.com/t5/Splunk-Search/Converting-variable-File-Size-Units-with-dot-points-to-bytes/m-p/567535#M197791 <P data-unlink="true">Thanks for the quick response - using <A href="https://convertlive.com/u/convert/kilobytes/to/bytes" target="_self">this website</A>&nbsp;the conversions are accurate.&nbsp;</P><P data-unlink="true">Here is a link to the app in development:&nbsp;<A href="https://github.com/satiex/splunk_synology_TA" target="_blank">https://github.com/satiex/splunk_synology_TA</A>&nbsp;</P><P data-unlink="true">Does anyone know how I can get these conversions to happen at index time? I've tried a few things with the props.conf and transforms.conf without any luck.</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">Here is an example of a log event:</P><LI-CODE lang="markup">Sep 19 13:19:54 172.17.0.1 Sep 19 13:19:54 SYN-NAS WinFileService Event: read, Path: /Shows/TV Show/Season 1/Episode 1 - Pilot.mkv, File/Folder: File, Size: 1.23 GB, User: john.smith@ldap.local.com, IP: 192.168.1.59</LI-CODE><P data-unlink="true">And here is the REGEX in the transforms.conf:</P><LI-CODE lang="markup">[synology_ft_basefields] REGEX = \sWinFileService Event:\s(?&lt;action&gt;create|write|read|delete|rename),\sPath:\s(?&lt;path&gt;.+?(?=,)),\sFile\/Folder:\s(?&lt;file_folder&gt;File|Folder),\sSize:\s(?&lt;sizeValue&gt;[\d.]+)\s?(?&lt;sizeUnit&gt;\w*),\sUser:\s(?&lt;user&gt;[^\,]*),\sIP:\s(?&lt;src_ip&gt;[[ipv4]])</LI-CODE><P data-unlink="true">&nbsp;</P> Sun, 19 Sep 2021 05:48:44 GMT https://community.splunk.com/t5/Splunk-Search/Converting-variable-File-Size-Units-with-dot-points-to-bytes/m-p/567535#M197791 satiex 2021-09-19T05:48:44Z