Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Convert data only a field contains a specific pattern, otherwise let is as it is (if data_unity=bytes then ... else)

guilmxm
Influencer
‎02-15-2013 12:50 AM

Hi to Everyone,

My question is ,i think, quite simple but i haven't found yet solution ^^ (i'm still quite new to Splunk!)

Let's say i have various field indexed, one contains the Data Unity and others values and so on.

I want to have only one kind of commands to generate all mycharts, currently the command is:

Without converting bytes to megabytes:

index="my_index" sourcetype="my_source" $hostname$ $monitor$ $monitor_label$ | timechart span=1h limit=10 max(value) by monitor_label

Converting bytes to megabytes:

index="my_index" sourcetype="my_source" $hostname$ $monitor$ $monitor_label$ | timechart span=1h eval(max(value)/1024/1024) by monitor_label

My goal is to have the same command for both cases including the condition where "data_unity" fields would contains "b/s" --> initiate conversion, otherwise let the data as normal.

Thank your very much for you help, as i am introducing Splunk into my company, getting the better result is my goal.

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎02-15-2013 02:38 AM 
   ... | eval value=if(match(value,"b/s"),value/1024/1024,value) | ...

So what we're doing here is checking if the value contains "b/s", if it does we return value/1024/1024, otherwise we return the original value.

It will also match "Mb/s", so you might need to deal with that too, it could be as simple as changing the "match" to " b/s" (with a leading space).

Reply

guilmxm
Influencer
‎02-15-2013 05:27 AM

Ok, i found my solution by adding an eval inside the timechart command as:

timechart span=1h limit=10 eval(round(avg(value),2))

Again, thanks for you help

0 Karma
Reply

Ayn
Legend
‎02-15-2013 05:24 AM

Well did you try with round()?

0 Karma
Reply

guilmxm
Influencer
‎02-15-2013 05:17 AM

One more question please, would you know a way to limit inside the same eval the value to only 2 decimals ?

Like with command "value=round(value,2)" ?

Thanks 🙂

0 Karma
Reply

guilmxm
Influencer
‎02-15-2013 05:11 AM

Many thanks, works perfectly as expected!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...