Splunk Search

Calculations on fields with multiplier abbriviations

nickhills
Ultra Champion

Any ideas on how to handle this - I am imaging a horrible if/string statement, but any other ideas?

i have a field "bytes" and any of the following could be values:

bytes=0
bytes=345
bytes=456K
bytes=789M
bytes=20G

I would like to chart (or otherwise perform math functions) so I need a means to normalise the values into a common format either bytes or kb.

If my comment helps, please give it a thumbs up!
Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval bytes="0,345,456K,789M,20G" 
| makemv delim="," bytes 
| mvexpand bytes

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| eval strip_and_multiplier = case(
    match(bytes, "[kK]$"),     "1,1024",
    match(bytes, "[kK][bB]$"), "2,1024",
    match(bytes, "[mM]$"),     "1,1048576",
    match(bytes, "[mM][bB]$"), "2,1048576",
    match(bytes, "[gG]$"),     "1,1073741824",
    match(bytes, "[gG][bB]$"), "2,1073741824",
         true(),               "0,1")
| rex field=strip_and_multiplier "^(?<strip>[^,]+),(?<multiplier>.*)$"
| fields - strip_and_multiplier
| eval len=len(bytes), bytes = tonumber(substr(bytes, 0, len - strip)) * multiplier

I would make this a macro.

View solution in original post

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval bytes="0,345,456K,789M,20G" 
| makemv delim="," bytes 
| mvexpand bytes

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| eval strip_and_multiplier = case(
    match(bytes, "[kK]$"),     "1,1024",
    match(bytes, "[kK][bB]$"), "2,1024",
    match(bytes, "[mM]$"),     "1,1048576",
    match(bytes, "[mM][bB]$"), "2,1048576",
    match(bytes, "[gG]$"),     "1,1073741824",
    match(bytes, "[gG][bB]$"), "2,1073741824",
         true(),               "0,1")
| rex field=strip_and_multiplier "^(?<strip>[^,]+),(?<multiplier>.*)$"
| fields - strip_and_multiplier
| eval len=len(bytes), bytes = tonumber(substr(bytes, 0, len - strip)) * multiplier

I would make this a macro.

adonio
Ultra Champion

if i understood correctly, will only add ... | eval byes=bytes at the beginning of the search. up voting, its a great answer and the macro advice is a cherry here

0 Karma

nickhills
Ultra Champion

Woodcock, I love the idea to do the strip chars and multiplier in one step, I hadn't even considered that!
In my case, I needed this to answer a one off question, but I do plan to add this to a macro for future use. Thanks for a great idea, and a fully worked answer.

Apologies for the typo, as you suggested it was simply that. I will correct the original question

If my comment helps, please give it a thumbs up!
0 Karma

woodcock
Esteemed Legend

I do not understand your comment so I cannot respond with anything useful.

0 Karma

adonio
Ultra Champion

@nickhillscpl asks: "i have a field "byes" and any of the following could be values:" and shows an example:
byes=0
bytes=345
bytes=456K
maybe it was a typo, but since i saw byes in 2 places, i thought it is a field name and there fore my comment.

0 Karma

woodcock
Esteemed Legend

Ah, I see now. His data probably has those strings and is using KV_MODE to pull out KVPs but I use the same (easier) way to fake the events; what is actually important are the fields and values, not the actual raw events or how the values get created.

0 Karma

nickhills
Ultra Champion

so this works, but its a bit ugly. I'd be delighted if there was a better way.

..|eval multiplier=if(like(bytes, "%K%"), 1024, if(like(bytes, "%M%"),1048576,1))|eval bytes2=replace(bytes,"K","")|eval bytes2=replace(bytes2,"M","")|eval bytes=bytes2*multiplier|..

yuk!

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...