Splunk Search

Convert #B/KB/MB/GB into bytes without a unit?

msarro
Builder

Hey everyone. Searching around, I see tons of answers related to converting numerical bytes into KB/MB/GB/TB. However, I can't seem to find any answers going in the other direction.

We have fields that can have values formatted as any of the following

  • 123B
  • 123KB
  • 123MB
  • 123GB
  • 123TB

The unit used can vary by event. So the same field might be 123B in one event, then 123MB in the next event, and 123KB in the next one. I want to strip the unit off, and convert everything into bytes (I don't mind trailing zeros). How would I go about doing this?

I am assuming I would need to strip the value, convert to a number, but how would I do an "if" if the unit type has already been stripped?

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor

View solution in original post

somesoni2
Revered Legend

Give this a try (run anywhere sample)

| gentimes start=-1 | eval WithUnit="123B 123KB 123MB 123GB 123TB" | makemv WithUnit | table WithUnit | mvexpand WithUnit
| rex field=WithUnit "^(?<Value>\d+)(?<Unit>\w*)$" | eval factor=case(Unit="B",1,Unit="KB",1024,Unit="MB",1024*1024,Unit="GB",1024*1024*1024,Unit="TB",11024*1024*1024*1024,true(),1) 
| eval InBytes=Value*factor

Rialf1959
Explorer

What about fields with dot?
rex field=WithUnit "^(?\d*.\d*)(?\w*)$"

How to round them?
Thanks

0 Karma

twinspop
Influencer

Good answer. (Missing a double quote in the first eval.)

msarro
Builder

Awesome, thanks! This is actually the path I had been starting to take, but the case statement makes it a whole lot nicer than several eval if statements. I'm stealing.

0 Karma

somesoni2
Revered Legend

Thanks...Fixed..

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...