Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Converting units in my classification breaks my alert?

klaudiac
Path Finder
‎11-19-2020 03:52 AM

Hi, 

I had a good base search for a calculation and alerting when an upload/download happens, but now I tried to tidy it up and convert bytes to KB and show a percentage as a "10%" instead of just "10", but somewhere along the way my search breaks... 
When i try to show bytes as KB using this:

| eval total_KB_bytes=round(total_bytes/1024,0)."KB"
| eval KB_bytes_in=round(bytes_in/1024,0)."KB"
| eval KB_bytes_out=round(bytes_out/1024,0)."KB" 

my Classification and  Alert break. 


Any help would be greatly appreciated! 


The The original search is:

index=zscaler http_method IN ("POST", "PUT")

| rename bytes as "total_bytes"
| table _time index user src_user_email dest app appclass category http_method filetype total_bytes bytes_in bytes_out

| eval user_bytes_perc_download = round((bytes_in/total_bytes)*100,2)
| eval user_bytes_perc_upload = round((bytes_out/total_bytes)*100,2)
| eval Classification=case(user_bytes_perc_download > 70,"download", user_bytes_perc_upload > 70,"upload", user_bytes_perc_download <70 AND user_bytes_perc_upload <70, "none")

| eval Alert=if((Classification="download" OR Classification="upload") AND total_bytes > 20000, "YES", "NO")
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎11-19-2020 04:21 AM

Hi  @klaudiac,

Try fieldformat. It does change the way a value is displayed, but does not change the underlaying value/type of data.

|  eval kb=bytes/1024
| fieldformat kb=round(kb,2)."kb"

 
Hope it helps.
BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

tfujita_splunk
Splunk Employee
Splunk Employee
‎02-04-2023 03:05 AM

This could be also solution for you.

https://community.splunk.com/t5/Splunk-Search/FileSize-to-human-readable/m-p/629602/highlight/true#M...

| makeresults count=35
```THIS SECTION IS JUST CREATING SAMPLE VALUES.```
| streamstats count as digit
| eval val=pow(10,digit-1), val=val+random()%val
| foreach bytes [eval <<FIELD>>=val]
| table digit val bytes
| fieldformat val=tostring(val,"commas")

```THE FOLLOWING LINES MAY BE WHAT ACHIEVES THE FORMAT YOU ARE LOOKING FOR.```
| fieldformat bytes=printf("% 10s",printf("%.2f",round(bytes/pow(1024,if(bytes=0,0,floor(min(log(bytes,1024),10)))),2)).case(bytes=0 OR log(bytes,1024)<1,"B ", log(bytes,1024)<2,"KiB", log(bytes,1024)<3,"MiB", log(bytes,1024)<4,"GiB", log(bytes,1024)<5,"TiB", log(bytes,1024)<6,"PiB", log(bytes,1024)<7,"EiB", log(bytes,1024)<8,"ZiB", log(bytes,1024)<9,"YiB", log(bytes,1024)<10,"RiB", log(bytes,1024)<11,"QiB", 1=1, "QiB"))

 

If you can install app or ask admin on your to install app,

installing add-on Numeral system macros for Splunk enables you to use macros numeral_binary_symbol(1) or numeral_binary_symbol(2).

Example

| makeresults count=35
```THIS SECTION IS JUST CREATING SAMPLE VALUES.```
| streamstats count as digit
| eval val=pow(10,digit-1), val=val+random()%val
| foreach bytes [eval <<FIELD>>=val]
| table digit val bytes
| fieldformat val=tostring(val,"commas")

```THE FOLLOWING LINES MAY BE WHAT ACHIEVES THE FORMAT YOU ARE LOOKING FOR.```
| fieldformat bytes=printf("% 10s",`numeral_binary_symbol(bytes,2)`)

 

Numeral system macros for Splunk

https://splunkbase.splunk.com/app/6595


Usage:

How to convert a large number to string with expressions of long and short scales, or neither.

https://community.splunk.com/t5/Splunk-Search/How-to-convert-a-large-number-to-string-with-expressio...

0 Karma
Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎11-19-2020 04:21 AM

Hi  @klaudiac,

Try fieldformat. It does change the way a value is displayed, but does not change the underlaying value/type of data.

|  eval kb=bytes/1024
| fieldformat kb=round(kb,2)."kb"

 
Hope it helps.
BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Solved! Jump to solution

klaudiac
Path Finder
‎11-19-2020 05:41 AM

Hi Ralph, 

The | fieldformat makes it look so much neater, thanks very much! 🙂 

Reply
Solved! Jump to solution

rnowitzki
Builder
‎11-19-2020 05:57 AM

Hi Klaudia,

There is nothing wrong with your SPL 🙂  And you found a workaround (Set the Alert trigger before adding the "KB"), so this is just cosmetic:

You could just change the last 5 evals to fieldformat. 
That way, the values are still numbers, but display for us silly humans with "KB" (or %)  😛

| eval total_KB_bytes=total_KB_bytes."KB"
change to => | fieldformat total_KB_bytes=total_KB_bytes."KB"

| eval KB_bytes_in=KB_bytes_in."KB"
change to => | fieldformat KB_bytes_in=KB_bytes_in."KB"


and so forth with all 5 evals.

Now you can still calculate/compare/whatever with the values, regardless of the "KB" added.

Cheers
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...