Splunk Search

How to change the unit values (5G to 5 and 400M to .4) for a scripted input?

shearsey
New Member

I have scripted output from UGE qhost command that gives memory in G (GBs) or if less than 1GB, in M (MBs). I'd like to timechart the information so I need them as numeric fields with same units. I can strip the G's out in my shell script to give numeric field but also need to change M values by dividing by 1024 (ideally) or could round up anything in MB's up to 1.

-Original -

HOSTNAME                ARCH         NCPU NSOC NCOR NTHR NLOAD  MEMTOT  MEMUSE  SWAPTO  SWAPUS
----------------------------------------------------------------------------------------------
grc106                  lx-amd64       24    2   12   24  0.19   94.5G    3.1G   16.0G     0.0
grc108                  lx-amd64       24    2   12   24  0.00   94.5G 512.0M   16.0G     0.0

-Would like to be -

grc106                  lx-amd64       24    2   12   24  0.19   94.5   3.1   16.0     0.0
grc108                  lx-amd64       24    2   12   24  0.00   94.5  .50   16.0     0.0

TIA,
Simon

0 Karma
1 Solution

beatus
Communicator

You're probably best doing everything in MB, then you can convert to GB when you'd prefer to display that way. Best of both worlds, so you don't lose resolution.

You could accomplish this in Splunk with existing data dealing with both cases by the use of eval too (In this case, converting all to MB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1)*1024), like(MEMTOT, "%M"), substr(MEMTOT, 1, len(MEMTOT)-1), 1==1, MEMTOT)

And the other direction (Converting to GB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1), like(MEMTOT, "%M"), (substr(MEMTOT, 1, len(MEMTOT)-1)/1024), 1==1, MEMTOT)

The use of 1==1 in the case statement serves as a catch all (A nice trick for case statements) - In the event that there's no "M" or "G" we just keep the value un-altered. You could apply this method to as many fields as needed.

View solution in original post

beatus
Communicator

You're probably best doing everything in MB, then you can convert to GB when you'd prefer to display that way. Best of both worlds, so you don't lose resolution.

You could accomplish this in Splunk with existing data dealing with both cases by the use of eval too (In this case, converting all to MB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1)*1024), like(MEMTOT, "%M"), substr(MEMTOT, 1, len(MEMTOT)-1), 1==1, MEMTOT)

And the other direction (Converting to GB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1), like(MEMTOT, "%M"), (substr(MEMTOT, 1, len(MEMTOT)-1)/1024), 1==1, MEMTOT)

The use of 1==1 in the case statement serves as a catch all (A nice trick for case statements) - In the event that there's no "M" or "G" we just keep the value un-altered. You could apply this method to as many fields as needed.

shearsey
New Member

Gave it a whir.

Changed "sybstr" to "substr" and added a ")" before 2nd comma to get matching ('s and )'s. Now error is:
Error in 'eval' command: Typechecking failed. '/' only takes numbers.

sourcetype="uge_qhost" | eval memtot=case(like(memtot,"%G"), (substr(memtot,1,len(memtot)-1)), like(memtot, "%M"), (substr(memtot, 1, len(memtot)-1)/1024), 1==1, memtot)

Starting think doing this with sed before the data goes into splunk might be wiser.

Cheers,
Simon

0 Karma

beatus
Communicator

Shearsey,
I think you're right about tackling it at the script level. If you can get it consistent then and control the script it's the way to go. I just wanted to provide a Splunk solution in the event that others do not have the ability to mod the script.

As for the eval issue, you can force the type to int with "tonumber()" like so:

|eval MEMTOT=case(like(MEMTOT, "%G"), (tonumber(substr(MEMTOT, 1, len(MEMTOT)-1))*1024), like(MEMTOT, "%M"), tonumber(substr(MEMTOT, 1, len(MEMTOT)-1)), 1==1, tonumber(MEMTOT))

Thanks for catching that typo, I had tested it so i'm not sure how i managed to mangle it after a copy and paste.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...