one of the values in my log is sent and received I believe it's bytes. I would like to display those as Kb and Mb. Using commas would also be great. Is there any easy way to tell splunk to do this?
here is my sample log:
Jun 24 16:22:55 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 16:22:55" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3641361 usr="admin" src=10.103.62.80:32826:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=716 rcvd=472
near the end you see: sent=716 and rcvd=472. I would like to display those like
Sent: 716 bytes
Received: 472 bytes
If they were larger like this log
Jun 24 16:22:53 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 16:22:53" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3641359 usr="admin" src=10.103.62.80:32825:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=791 rcvd=3742
then it would be:
sent: 791 bytes
received: 3.6 Kb
I would use something like - eval bytes = round(bytes/1024/1024,2) | rename bytes as "total(MB)". For something like this, we can use a search macro - http://docs.splunk.com/Documentation/Splunk/6.0.4/Search/Usesearchmacros.
I wrote a Splunk app, "Humanize", to help with this situation: https://splunkbase.splunk.com/app/3104/
My app will convert a number in bytes to a human-friendly representation - KB, MB, GB, etc.
Please let me know if you have any feedback so I can improve the app!
One way to do it is with the eval command.
However, this would not scale with MB, etc. If the values are usally in the bytes/KB it might be worth a shot.
in order to have commas:
in order to be showing Kb or bytes or any other you will need to play with eval and case to have your condition sentences. It all should work nice and pretty