How do I convert this query to display the results in GB instead of kb?
index="_internal" source="*metrics.log" per_sourcetype_thruput | chart sum(kb) by series
Currently I'm just do a ~result~/1024^2 in Excel, but it'd be stellar to not have to do that as I'm sure Splunk can do the conversion for me.
Also, is there an efficient way to get the results to be listed by Source instead of Source Type? Replacing "per_sourcetype_thruput" with "per_source_thruput" displays all the individual .log files and takes a long long time to complete. If that's the only way, that's fine, I just didn't know if there was another way.
You can use the power of 1024, and anticipate the use of a macro, plus you need to use eval out of the sum() if you want to round the results: index="_internal" source="*metrics.log" per_sourcetype_thruput| chart sum(kb) as Size by series
| eval KB=round(Size/pow(1024,0),2), MB=round(Size/pow(1024,1),2), GB=round(Size/pow(1024,2),2)
| table series, Size, KB, MB, GB