Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert #B/KB/MB/GB into bytes without a unit?

msarro
Builder
‎09-13-2016 07:25 AM

Hey everyone. Searching around, I see tons of answers related to converting numerical bytes into KB/MB/GB/TB. However, I can't seem to find any answers going in the other direction.

We have fields that can have values formatted as any of the following

  • 123B
  • 123KB
  • 123MB
  • 123GB
  • 123TB

The unit used can vary by event. So the same field might be 123B in one event, then 123MB in the next event, and 123KB in the next one. I want to strip the unit off, and convert everything into bytes (I don't mind trailing zeros). How would I go about doing this?

I am assuming I would need to strip the value, convert to a number, but how would I do an "if" if the unit type has already been stripped?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-13-2016 07:36 AM

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-13-2016 07:36 AM

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor
Reply
Solved! Jump to solution

Rialf1959
Explorer
‎10-19-2017 05:39 AM

What about fields with dot?
rex field=WithUnit "^(?\d*.\d*)(?\w*)$"

How to round them?
Thanks

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎09-13-2016 07:57 AM

Good answer. (Missing a double quote in the first eval.)

Reply
Solved! Jump to solution

msarro
Builder
‎09-13-2016 08:01 AM

Awesome, thanks! This is actually the path I had been starting to take, but the case statement makes it a whole lot nicer than several eval if statements. I'm stealing.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-13-2016 08:00 AM

Thanks...Fixed..

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...