1 Solution
Hi @kirrusk ,
See if the following does the trick (ignore the first 4 lines which I used to replicate your example):
| makeresults
| eval fields = split("1500m,20GB|2000m,21GB|45,500mb|1440m,250mb|12,15GB", "|")
| mvexpand fields
| rex field=fields "(?<field1>[^\,]+)\,(?<field2>.+?)$" | fields - _time, fields
| rex field=field1 "(?<field1_num>\d+)(?<field1_unit>\D*)$"
| rex field=field2 "(?<field2_num>\d+)(?<field2_unit>\D*)$"
| eval
field1_num = if(NOT match(field1_unit, "m$") OR isNull(field1_unit), field1_num*1000, field1_num),
field2_num = if(NOT match(field2_unit, "GB$") OR isNull(field2_unit), round(field2_num/1024,2), field2_num),
field1_unit = "m",
field2_unit = "GB"
| eval
field1 = field1_num.field1_unit,
field2 = field2_num.field2_unit
| table field1, field2
And the screenshot from my lab:
Hi @kirrusk ,
See if the following does the trick (ignore the first 4 lines which I used to replicate your example):
| makeresults
| eval fields = split("1500m,20GB|2000m,21GB|45,500mb|1440m,250mb|12,15GB", "|")
| mvexpand fields
| rex field=fields "(?<field1>[^\,]+)\,(?<field2>.+?)$" | fields - _time, fields
| rex field=field1 "(?<field1_num>\d+)(?<field1_unit>\D*)$"
| rex field=field2 "(?<field2_num>\d+)(?<field2_unit>\D*)$"
| eval
field1_num = if(NOT match(field1_unit, "m$") OR isNull(field1_unit), field1_num*1000, field1_num),
field2_num = if(NOT match(field2_unit, "GB$") OR isNull(field2_unit), round(field2_num/1024,2), field2_num),
field1_unit = "m",
field2_unit = "GB"
| eval
field1 = field1_num.field1_unit,
field2 = field2_num.field2_unit
| table field1, field2
And the screenshot from my lab:
