Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert #B/KB/MB/GB into bytes without a unit?

msarro
Builder
‎09-13-2016 07:25 AM

Hey everyone. Searching around, I see tons of answers related to converting numerical bytes into KB/MB/GB/TB. However, I can't seem to find any answers going in the other direction.

We have fields that can have values formatted as any of the following

  • 123B
  • 123KB
  • 123MB
  • 123GB
  • 123TB

The unit used can vary by event. So the same field might be 123B in one event, then 123MB in the next event, and 123KB in the next one. I want to strip the unit off, and convert everything into bytes (I don't mind trailing zeros). How would I go about doing this?

I am assuming I would need to strip the value, convert to a number, but how would I do an "if" if the unit type has already been stripped?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-13-2016 07:36 AM

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-13-2016 07:36 AM

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor
Reply
Solved! Jump to solution

Rialf1959
Explorer
‎10-19-2017 05:39 AM

What about fields with dot?
rex field=WithUnit "^(?\d*.\d*)(?\w*)$"

How to round them?
Thanks

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎09-13-2016 07:57 AM

Good answer. (Missing a double quote in the first eval.)

Reply
Solved! Jump to solution

msarro
Builder
‎09-13-2016 08:01 AM

Awesome, thanks! This is actually the path I had been starting to take, but the case statement makes it a whole lot nicer than several eval if statements. I'm stealing.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-13-2016 08:00 AM

Thanks...Fixed..

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top