topic Re: Converting units in Splunk Search

Converting units in my classification breaks my alert?

klaudiac — Sun, 05 Feb 2023 23:18:19 GMT

Hi,

I had a good base search for a calculation and alerting when an upload/download happens, but now I tried to tidy it up and convert bytes to KB and show a percentage as a "10%" instead of just "10", but somewhere along the way my search breaks...
When i try to show bytes as KB using this:

| eval total_KB_bytes=round(total_bytes/1024,0)."KB"
| eval KB_bytes_in=round(bytes_in/1024,0)."KB"
| eval KB_bytes_out=round(bytes_out/1024,0)."KB"

my Classification and Alert break.

Any help would be greatly appreciated!

The The original search is:

index=zscaler http_method IN ("POST", "PUT")

| rename bytes as "total_bytes"
| table _time index user src_user_email dest app appclass category http_method filetype total_bytes bytes_in bytes_out

| eval user_bytes_perc_download = round((bytes_in/total_bytes)*100,2)
| eval user_bytes_perc_upload = round((bytes_out/total_bytes)*100,2)
| eval Classification=case(user_bytes_perc_download > 70,"download", user_bytes_perc_upload > 70,"upload", user_bytes_perc_download <70 AND user_bytes_perc_upload <70, "none")

| eval Alert=if((Classification="download" OR Classification="upload") AND total_bytes > 20000, "YES", "NO")

Re: Converting units

rnowitzki — Thu, 19 Nov 2020 12:21:24 GMT

Hi @klaudiac,

Try fieldformat. It does change the way a value is displayed, but does not change the underlaying value/type of data.

| eval kb=bytes/1024 | fieldformat kb=round(kb,2)."kb"

Hope it helps.
BR
Ralph

Re: Converting units

klaudiac — Thu, 19 Nov 2020 14:01:01 GMT

Hi Ralph,

The | fieldformat makes it look so much neater, thanks very much! 🙂

Re: Converting units

rnowitzki — Thu, 19 Nov 2020 13:57:05 GMT

Hi Klaudia,

There is nothing wrong with your SPL 🙂 And you found a workaround (Set the Alert trigger before adding the "KB"), so this is just cosmetic:

You could just change the last 5 evals to fieldformat.
That way, the values are still numbers, but display for us silly humans with "KB" (or %) 😛

| eval total_KB_bytes=total_KB_bytes."KB" change to => | fieldformat total_KB_bytes=total_KB_bytes."KB" | eval KB_bytes_in=KB_bytes_in."KB" change to => | fieldformat KB_bytes_in=KB_bytes_in."KB"

and so forth with all 5 evals.

Now you can still calculate/compare/whatever with the values, regardless of the "KB" added.

Cheers
Ralph

Re: Converting units

tfujita_splunk — Sat, 04 Feb 2023 12:13:34 GMT

This could be also solution for you.

https://community.splunk.com/t5/Splunk-Search/FileSize-to-human-readable/m-p/629602/highlight/true#M218718

| makeresults count=35
```THIS SECTION IS JUST CREATING SAMPLE VALUES.```
| streamstats count as digit
| eval val=pow(10,digit-1), val=val+random()%val
| foreach bytes [eval <<FIELD>>=val]
| table digit val bytes
| fieldformat val=tostring(val,"commas")

```THE FOLLOWING LINES MAY BE WHAT ACHIEVES THE FORMAT YOU ARE LOOKING FOR.```
| fieldformat bytes=printf("% 10s",printf("%.2f",round(bytes/pow(1024,if(bytes=0,0,floor(min(log(bytes,1024),10)))),2)).case(bytes=0 OR log(bytes,1024)<1,"B ", log(bytes,1024)<2,"KiB", log(bytes,1024)<3,"MiB", log(bytes,1024)<4,"GiB", log(bytes,1024)<5,"TiB", log(bytes,1024)<6,"PiB", log(bytes,1024)<7,"EiB", log(bytes,1024)<8,"ZiB", log(bytes,1024)<9,"YiB", log(bytes,1024)<10,"RiB", log(bytes,1024)<11,"QiB", 1=1, "QiB"))

If you can install app or ask admin on your to install app,

installing add-on Numeral system macros for Splunk enables you to use macros numeral_binary_symbol(1) or numeral_binary_symbol(2).

Example

| makeresults count=35
```THIS SECTION IS JUST CREATING SAMPLE VALUES.```
| streamstats count as digit
| eval val=pow(10,digit-1), val=val+random()%val
| foreach bytes [eval <<FIELD>>=val]
| table digit val bytes
| fieldformat val=tostring(val,"commas")

```THE FOLLOWING LINES MAY BE WHAT ACHIEVES THE FORMAT YOU ARE LOOKING FOR.```
| fieldformat bytes=printf("% 10s",`numeral_binary_symbol(bytes,2)`)

Numeral system macros for Splunk

https://splunkbase.splunk.com/app/6595

Usage:

How to convert a large number to string with expressions of long and short scales, or neither.

https://community.splunk.com/t5/Splunk-Search/How-to-convert-a-large-number-to-string-with-expressio...