Solved: How do I change the value of a search to MB?

marcusmartin · ‎10-01-2018

I have this search which shows the total of bytes coming in for a particular time period. Can someone tell me how to change the search so i can have the value changed to MB? I understand i should maybe be using the eval function but, try as i might, i can't seem to get the output i want.

sourcetype="microsoft:forefront:tmg:proxy" | stats Sum(sc_bytes)

richgalloway · ‎10-01-2018

To convert bytes to MB, divide by 1024 twice.

sourcetype="microsoft:forefront:tmg:proxy" | stats Sum(sc_bytes) as sum_bytes | eval sum_MB=sum_bytes/1024/1024

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-01-2018

To convert bytes to MB, divide by 1024 twice.

sourcetype="microsoft:forefront:tmg:proxy" | stats Sum(sc_bytes) as sum_bytes | eval sum_MB=sum_bytes/1024/1024

---
If this reply helps you, Karma would be appreciated.

marcusmartin · ‎10-01-2018

Oooooooh I was so close, I had all the words just in the wrong order 🙂 thanks so much. Just need to truncate it now

How do I change the value of a search to MB?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

How do I change the value of a search to MB?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console