Splunk Search

## Convert #B/KB/MB/GB into bytes without a unit?

Builder

Hey everyone. Searching around, I see tons of answers related to converting numerical bytes into KB/MB/GB/TB. However, I can't seem to find any answers going in the other direction.

We have fields that can have values formatted as any of the following

• 123B
• 123KB
• 123MB
• 123GB
• 123TB

The unit used can vary by event. So the same field might be 123B in one event, then 123MB in the next event, and 123KB in the next one. I want to strip the unit off, and convert everything into bytes (I don't mind trailing zeros). How would I go about doing this?

I am assuming I would need to strip the value, convert to a number, but how would I do an "if" if the unit type has already been stripped?

Tags (3)
1 Solution
Revered Legend

Give this a try (run anywhere sample)

``````| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)\$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1)
| eval InBytes=Value*factor
``````
Revered Legend

Give this a try (run anywhere sample)

``````| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)\$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1)
| eval InBytes=Value*factor
``````
Explorer

rex field=WithUnit "^(?\d*.\d*)(?\w*)\$"

How to round them?
Thanks

Influencer

Good answer. (Missing a double quote in the first `eval`.)

Builder

Awesome, thanks! This is actually the path I had been starting to take, but the case statement makes it a whole lot nicer than several eval if statements. I'm stealing.

Revered Legend

Thanks...Fixed..

Get Updates on the Splunk Community!

#### Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

#### Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

#### .conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...