- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Easy way to convert bits into bytes and kb
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Easy way to convert bits into bytes and kb
one of the values in my log is sent and received I believe it's bytes. I would like to display those as Kb and Mb. Using commas would also be great. Is there any easy way to tell splunk to do this?
here is my sample log:
Jun 24 16:22:55 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 16:22:55" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3641361 usr="admin" src=10.103.62.80:32826:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=716 rcvd=472
near the end you see: sent=716 and rcvd=472. I would like to display those like
Sent: 716 bytes
Received: 472 bytes
If they were larger like this log
Jun 24 16:22:53 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 16:22:53" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3641359 usr="admin" src=10.103.62.80:32825:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=791 rcvd=3742
then it would be:
sent: 791 bytes
received: 3.6 Kb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would use something like - eval bytes = round(bytes/1024/1024,2) | rename bytes as "total(MB)". For something like this, we can use a search macro - http://docs.splunk.com/Documentation/Splunk/6.0.4/Search/Usesearchmacros.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wrote a Splunk app, "Humanize", to help with this situation: https://splunkbase.splunk.com/app/3104/
My app will convert a number in bytes to a human-friendly representation - KB, MB, GB, etc.
Please let me know if you have any feedback so I can improve the app!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your App is not visible in Splunkbase.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh, thanks for letting me know. I emailed support and they just released it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to do it is with the eval command.
...|eval kb_rcvd=(rcvd/1024)
However, this would not scale with MB, etc. If the values are usally in the bytes/KB it might be worth a shot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in order to have commas:
fieldformat AVG=tostring(AVG,"commas")
in order to be showing Kb or bytes or any other you will need to play with eval and case to have your condition sentences. It all should work nice and pretty
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
