Solved: Re: Calculations on fields with multiplier abbrivi...

nickhills · ‎05-26-2017

Any ideas on how to handle this - I am imaging a horrible if/string statement, but any other ideas?

i have a field "bytes" and any of the following could be values:

bytes=0
bytes=345
bytes=456K
bytes=789M
bytes=20G

I would like to chart (or otherwise perform math functions) so I need a means to normalise the values into a common format either bytes or kb.

If my comment helps, please give it a thumbs up!

woodcock · ‎05-26-2017

Like this:

| makeresults 
| eval bytes="0,345,456K,789M,20G" 
| makemv delim="," bytes 
| mvexpand bytes

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| eval strip_and_multiplier = case(
    match(bytes, "[kK]$"),     "1,1024",
    match(bytes, "[kK][bB]$"), "2,1024",
    match(bytes, "[mM]$"),     "1,1048576",
    match(bytes, "[mM][bB]$"), "2,1048576",
    match(bytes, "[gG]$"),     "1,1073741824",
    match(bytes, "[gG][bB]$"), "2,1073741824",
         true(),               "0,1")
| rex field=strip_and_multiplier "^(?<strip>[^,]+),(?<multiplier>.*)$"
| fields - strip_and_multiplier
| eval len=len(bytes), bytes = tonumber(substr(bytes, 0, len - strip)) * multiplier

I would make this a macro.

View solution in original post

woodcock · ‎05-26-2017

Like this:

| makeresults 
| eval bytes="0,345,456K,789M,20G" 
| makemv delim="," bytes 
| mvexpand bytes

| rename COMMENT AS "Everything above creates test events; everything below is your solution"

| eval strip_and_multiplier = case(
    match(bytes, "[kK]$"),     "1,1024",
    match(bytes, "[kK][bB]$"), "2,1024",
    match(bytes, "[mM]$"),     "1,1048576",
    match(bytes, "[mM][bB]$"), "2,1048576",
    match(bytes, "[gG]$"),     "1,1073741824",
    match(bytes, "[gG][bB]$"), "2,1073741824",
         true(),               "0,1")
| rex field=strip_and_multiplier "^(?<strip>[^,]+),(?<multiplier>.*)$"
| fields - strip_and_multiplier
| eval len=len(bytes), bytes = tonumber(substr(bytes, 0, len - strip)) * multiplier

I would make this a macro.

adonio · ‎05-26-2017

if i understood correctly, will only add ... | eval byes=bytes at the beginning of the search. up voting, its a great answer and the macro advice is a cherry here

nickhills · ‎05-30-2017

Woodcock, I love the idea to do the strip chars and multiplier in one step, I hadn't even considered that!
In my case, I needed this to answer a one off question, but I do plan to add this to a macro for future use. Thanks for a great idea, and a fully worked answer.

Apologies for the typo, as you suggested it was simply that. I will correct the original question

If my comment helps, please give it a thumbs up!

woodcock · ‎05-26-2017

I do not understand your comment so I cannot respond with anything useful.

adonio · ‎05-27-2017

@nickhillscpl asks: "i have a field "byes" and any of the following could be values:" and shows an example:
byes=0
bytes=345
bytes=456K
maybe it was a typo, but since i saw byes in 2 places, i thought it is a field name and there fore my comment.

woodcock · ‎05-27-2017

Ah, I see now. His data probably has those strings and is using KV_MODE to pull out KVPs but I use the same (easier) way to fake the events; what is actually important are the fields and values, not the actual raw events or how the values get created.

nickhills · ‎05-26-2017

so this works, but its a bit ugly. I'd be delighted if there was a better way.

..|eval multiplier=if(like(bytes, "%K%"), 1024, if(like(bytes, "%M%"),1048576,1))|eval bytes2=replace(bytes,"K","")|eval bytes2=replace(bytes2,"M","")|eval bytes=bytes2*multiplier|..

yuk!

If my comment helps, please give it a thumbs up!

Calculations on fields with multiplier abbriviations

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...