Archive

## Calculations on fields with multiplier abbriviations

Ultra Champion

Any ideas on how to handle this - I am imaging a horrible if/string statement, but any other ideas?

i have a field "bytes" and any of the following could be values:

``````bytes=0
bytes=345
bytes=456K
bytes=789M
bytes=20G
``````

I would like to chart (or otherwise perform math functions) so I need a means to normalise the values into a common format either bytes or kb.

If my comment helps, please give it a thumbs up!
Tags (2)
1 Solution
Esteemed Legend

Like this:

``````| makeresults
| eval bytes="0,345,456K,789M,20G"
| makemv delim="," bytes
| mvexpand bytes

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| eval strip_and_multiplier = case(
match(bytes, "[kK]\$"),     "1,1024",
match(bytes, "[kK][bB]\$"), "2,1024",
match(bytes, "[mM]\$"),     "1,1048576",
match(bytes, "[mM][bB]\$"), "2,1048576",
match(bytes, "[gG]\$"),     "1,1073741824",
match(bytes, "[gG][bB]\$"), "2,1073741824",
true(),               "0,1")
| rex field=strip_and_multiplier "^(?<strip>[^,]+),(?<multiplier>.*)\$"
| fields - strip_and_multiplier
| eval len=len(bytes), bytes = tonumber(substr(bytes, 0, len - strip)) * multiplier
``````

I would make this a macro.

Esteemed Legend

Like this:

``````| makeresults
| eval bytes="0,345,456K,789M,20G"
| makemv delim="," bytes
| mvexpand bytes

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| eval strip_and_multiplier = case(
match(bytes, "[kK]\$"),     "1,1024",
match(bytes, "[kK][bB]\$"), "2,1024",
match(bytes, "[mM]\$"),     "1,1048576",
match(bytes, "[mM][bB]\$"), "2,1048576",
match(bytes, "[gG]\$"),     "1,1073741824",
match(bytes, "[gG][bB]\$"), "2,1073741824",
true(),               "0,1")
| rex field=strip_and_multiplier "^(?<strip>[^,]+),(?<multiplier>.*)\$"
| fields - strip_and_multiplier
| eval len=len(bytes), bytes = tonumber(substr(bytes, 0, len - strip)) * multiplier
``````

I would make this a macro.

SplunkTrust

if i understood correctly, will only add `... | eval byes=bytes` at the beginning of the search. up voting, its a great answer and the macro advice is a cherry here

Ultra Champion

Woodcock, I love the idea to do the strip chars and multiplier in one step, I hadn't even considered that!
In my case, I needed this to answer a one off question, but I do plan to add this to a macro for future use. Thanks for a great idea, and a fully worked answer.

Apologies for the typo, as you suggested it was simply that. I will correct the original question

If my comment helps, please give it a thumbs up!
Esteemed Legend

I do not understand your comment so I cannot respond with anything useful.

SplunkTrust

@nickhillscpl asks: "i have a field "byes" and any of the following could be values:" and shows an example:
byes=0
bytes=345
bytes=456K
maybe it was a typo, but since i saw byes in 2 places, i thought it is a field name and there fore my comment.

Esteemed Legend

Ah, I see now. His data probably has those strings and is using `KV_MODE` to pull out KVPs but I use the same (easier) way to fake the events; what is actually important are the fields and values, not the actual raw events or how the values get created.

Ultra Champion

so this works, but its a bit ugly. I'd be delighted if there was a better way.

``````..|eval multiplier=if(like(bytes, "%K%"), 1024, if(like(bytes, "%M%"),1048576,1))|eval bytes2=replace(bytes,"K","")|eval bytes2=replace(bytes2,"M","")|eval bytes=bytes2*multiplier|..
``````

yuk!

If my comment helps, please give it a thumbs up!
The Latest From the Splunk Community!