https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86884#M22184 <P>Oh right. No problem. it's easy. I'll update my answer.</P> Mon, 08 Apr 2013 03:19:14 GMT sideview 2013-04-08T03:19:14Z https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86881#M22181 <P>Hi All,</P> <P>I have a field called "diskin" which can have two values in two measurements </P> <P>1) K for kilobytes<BR /><BR /> 2) M for megabytes</P> <P>eg: diskin=9.9M, diskin=948K etc</P> <P>How do i auto covert them to a single measurement say in bytes during search time ?</P> <P>Thanks</P> <P>Regards</P> <P>KK</P> Mon, 08 Apr 2013 01:56:15 GMT https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86881#M22181 KarunK 2013-04-08T01:56:15Z https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86882#M22182 <P>You can use the if() function in eval, along with the substr() function to check the last character of the diskin field: </P> <P><CODE>... | eval bytes=if(substr(diskin,-1)=="M",diskin/(1024*1024),diskin/1024)</CODE></P> <P>If you have more than two cases, it's cleaner to use the case() function. Even with only 2 cases, it's a bit of a tossup. Here's the same functionality but with the case() function. </P> <P><CODE>...| eval bytes=case(substr(diskin,-1)=="M",diskin/(1024*1024), substr(diskin,-1)=="K", ,diskin/1024)</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions</A></P> <P>UPDATE: </P> <P>Sorry I forgot that those suffixes will prevent the field from being treated as a numeric field. Splunk will sometimes forgive a certain amount of strangeness and treat values as numeric anyway, but indeed it does not in this case and the division above fails. </P> <P>But you can easily make yourself a numeric field by clipping off the suffix, and the overall search language then looks like: </P> <P>with the eval command's if() function: </P> <P><CODE>... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=if(suffix=="M",value/(1024*1024),value/1024)</CODE></P> <P>with the case() function instead: </P> <P><CODE>... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=case(suffix=="M",value/(1024*1024),suffix=="K",value/1024)</CODE></P> Mon, 08 Apr 2013 02:02:37 GMT https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86882#M22182 sideview 2013-04-08T02:02:37Z https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86883#M22183 <P>Ies i have tried this but "diskin/1024" wont work since, diskin is alphanumeric (eg:diskin=9.9M/1024)</P> Mon, 08 Apr 2013 02:13:00 GMT https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86883#M22183 KarunK 2013-04-08T02:13:00Z https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86884#M22184 <P>Oh right. No problem. it's easy. I'll update my answer.</P> Mon, 08 Apr 2013 03:19:14 GMT https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86884#M22184 sideview 2013-04-08T03:19:14Z https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86885#M22185 <P>Thanks it worked....</P> <P>Cheers</P> <P>KK</P> Mon, 08 Apr 2013 04:46:16 GMT https://community.splunk.com/t5/Splunk-Search/conditional-converion/m-p/86885#M22185 KarunK 2013-04-08T04:46:16Z