Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert #B/KB/MB/GB into bytes without a unit?

msarro
Builder
‎09-13-2016 07:25 AM

Hey everyone. Searching around, I see tons of answers related to converting numerical bytes into KB/MB/GB/TB. However, I can't seem to find any answers going in the other direction.

We have fields that can have values formatted as any of the following

  • 123B
  • 123KB
  • 123MB
  • 123GB
  • 123TB

The unit used can vary by event. So the same field might be 123B in one event, then 123MB in the next event, and 123KB in the next one. I want to strip the unit off, and convert everything into bytes (I don't mind trailing zeros). How would I go about doing this?

I am assuming I would need to strip the value, convert to a number, but how would I do an "if" if the unit type has already been stripped?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-13-2016 07:36 AM

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-13-2016 07:36 AM

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor
Reply
Solved! Jump to solution

Rialf1959
Explorer
‎10-19-2017 05:39 AM

What about fields with dot?
rex field=WithUnit "^(?\d*.\d*)(?\w*)$"

How to round them?
Thanks

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎09-13-2016 07:57 AM

Good answer. (Missing a double quote in the first eval.)

Reply
Solved! Jump to solution

msarro
Builder
‎09-13-2016 08:01 AM

Awesome, thanks! This is actually the path I had been starting to take, but the case statement makes it a whole lot nicer than several eval if statements. I'm stealing.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-13-2016 08:00 AM

Thanks...Fixed..

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...