- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Convert data only a field contains a specific patt...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Convert data only a field contains a specific pattern, otherwise let is as it is (if data_unity=bytes then ... else)
Hi to Everyone,
My question is ,i think, quite simple but i haven't found yet solution ^^ (i'm still quite new to Splunk!)
Let's say i have various field indexed, one contains the Data Unity and others values and so on.
I want to have only one kind of commands to generate all mycharts, currently the command is:
Without converting bytes to megabytes:
index="my_index" sourcetype="my_source" $hostname$ $monitor$ $monitor_label$ | timechart span=1h limit=10 max(value) by monitor_label
Converting bytes to megabytes:
index="my_index" sourcetype="my_source" $hostname$ $monitor$ $monitor_label$ | timechart span=1h eval(max(value)/1024/1024) by monitor_label
My goal is to have the same command for both cases including the condition where "data_unity" fields would contains "b/s" --> initiate conversion, otherwise let the data as normal.
Thank your very much for you help, as i am introducing Splunk into my company, getting the better result is my goal.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... | eval value=if(match(value,"b/s"),value/1024/1024,value) | ...
So what we're doing here is checking if the value contains "b/s", if it does we return value/1024/1024, otherwise we return the original value.
It will also match "Mb/s", so you might need to deal with that too, it could be as simple as changing the "match" to " b/s" (with a leading space).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, i found my solution by adding an eval inside the timechart command as:
timechart span=1h limit=10 eval(round(avg(value),2))
Again, thanks for you help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well did you try with round()?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more question please, would you know a way to limit inside the same eval the value to only 2 decimals ?
Like with command "value=round(value,2)" ?
Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks, works perfectly as expected!
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
Modern way of developing distributed application using OTel
