topic How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250569#M74873 <P>Hello,</P> <P>I have search and currently the results show in MB. For example:</P> <P>Current Search:</P> <P>Vol in MB<BR /> 112435<BR /> 9734<BR /> 29845<BR /> 725634<BR /> 3564476<BR /> 233463</P> <P>I would like to have it show up as like the below example:</P> <P>Volume<BR /> 723 MB<BR /> 14MB<BR /> 12KB<BR /> 12GB<BR /> 1.2 TB</P> <P>Here is the search context which we are using:</P> <PRE><CODE>index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval "Vol in MB"=round(sbytes/1024/1024) | rename sparkline AS Distribution | table Application "Vol in MB" Distribution </CODE></PRE> <P>Result:</P> <P>Application.........................Vol in MB................. Distribution<BR /> Quic...................................... 342<BR /> Wb-Browsing........................306<BR /><BR /> SSL.........................................26<BR /> MS-SMS.................................14<BR /> Google-Base.........................13<BR /> Skype.....................................3<BR /> MS-Update............................2</P> Thu, 25 Aug 2016 18:17:07 GMT elijahputnam 2016-08-25T18:17:07Z How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250569#M74873 <P>Hello,</P> <P>I have search and currently the results show in MB. For example:</P> <P>Current Search:</P> <P>Vol in MB<BR /> 112435<BR /> 9734<BR /> 29845<BR /> 725634<BR /> 3564476<BR /> 233463</P> <P>I would like to have it show up as like the below example:</P> <P>Volume<BR /> 723 MB<BR /> 14MB<BR /> 12KB<BR /> 12GB<BR /> 1.2 TB</P> <P>Here is the search context which we are using:</P> <PRE><CODE>index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval "Vol in MB"=round(sbytes/1024/1024) | rename sparkline AS Distribution | table Application "Vol in MB" Distribution </CODE></PRE> <P>Result:</P> <P>Application.........................Vol in MB................. Distribution<BR /> Quic...................................... 342<BR /> Wb-Browsing........................306<BR /><BR /> SSL.........................................26<BR /> MS-SMS.................................14<BR /> Google-Base.........................13<BR /> Skype.....................................3<BR /> MS-Update............................2</P> Thu, 25 Aug 2016 18:17:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250569#M74873 elijahputnam 2016-08-25T18:17:07Z Re: How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250570#M74874 <P>Try this (you may have to fix the math <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> )</P> <PRE><CODE>| eval Volume=case(sbytes&lt;=1024, sbytes." B", sbytes&gt;1024 AND sbytes&lt;=(1024*1024), round(sbytes/(1024),1)." KB", sbytes&gt;(1024*1024) AND sbytes&lt;=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes&gt;(1024*1024*1024) AND sbytes&lt;=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes&gt;(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK") </CODE></PRE> Thu, 25 Aug 2016 18:50:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250570#M74874 sundareshr 2016-08-25T18:50:52Z Re: How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250571#M74875 <P>I added what you posted to my search but now the values are showing up blank under "Vol in MB"</P> <P>Here is my complete search now.</P> <P>index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | <STRONG>eval Volume=case(sbytes&lt;=1024, sbytes." B", sbytes&gt;1024 AND sbytes&lt;=(1024*1024), round(sbytes/(1024),1)." KB", sbytes&gt;(1024*1024) AND sbytes&lt;=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes&gt;(1024*1024*1024) AND sbytes&lt;=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes&gt;(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK")</STRONG> | rename sparkline AS Distribution | table Application "Vol in MB" Distribution</P> Tue, 29 Sep 2020 10:45:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250571#M74875 elijahputnam 2020-09-29T10:45:34Z Re: How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250572#M74876 <P>Change "Vol in MB" to Volume, in your last table segment. Like this</P> <PRE><CODE> | table Application Volume Distribution </CODE></PRE> Thu, 25 Aug 2016 19:43:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-results-to-display-volume-as-BYTES/m-p/250572#M74876 sundareshr 2016-08-25T19:43:05Z