Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change the unit values (5G to 5 and 400M to .4) for a scripted input?

shearsey
New Member
‎03-29-2017 03:26 PM

I have scripted output from UGE qhost command that gives memory in G (GBs) or if less than 1GB, in M (MBs). I'd like to timechart the information so I need them as numeric fields with same units. I can strip the G's out in my shell script to give numeric field but also need to change M values by dividing by 1024 (ideally) or could round up anything in MB's up to 1.

-Original - 

HOSTNAME                ARCH         NCPU NSOC NCOR NTHR NLOAD  MEMTOT  MEMUSE  SWAPTO  SWAPUS
----------------------------------------------------------------------------------------------
grc106                  lx-amd64       24    2   12   24  0.19   94.5G    3.1G   16.0G     0.0
grc108                  lx-amd64       24    2   12   24  0.00   94.5G 512.0M   16.0G     0.0

-Would like to be -

grc106                  lx-amd64       24    2   12   24  0.19   94.5   3.1   16.0     0.0
grc108                  lx-amd64       24    2   12   24  0.00   94.5  .50   16.0     0.0

TIA,
Simon

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

beatus
Communicator
‎03-29-2017 04:40 PM

You're probably best doing everything in MB, then you can convert to GB when you'd prefer to display that way. Best of both worlds, so you don't lose resolution.

You could accomplish this in Splunk with existing data dealing with both cases by the use of eval too (In this case, converting all to MB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1)*1024), like(MEMTOT, "%M"), substr(MEMTOT, 1, len(MEMTOT)-1), 1==1, MEMTOT)

And the other direction (Converting to GB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1), like(MEMTOT, "%M"), (substr(MEMTOT, 1, len(MEMTOT)-1)/1024), 1==1, MEMTOT)

The use of 1==1 in the case statement serves as a catch all (A nice trick for case statements) - In the event that there's no "M" or "G" we just keep the value un-altered. You could apply this method to as many fields as needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

beatus
Communicator
‎03-29-2017 04:40 PM

You're probably best doing everything in MB, then you can convert to GB when you'd prefer to display that way. Best of both worlds, so you don't lose resolution.

You could accomplish this in Splunk with existing data dealing with both cases by the use of eval too (In this case, converting all to MB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1)*1024), like(MEMTOT, "%M"), substr(MEMTOT, 1, len(MEMTOT)-1), 1==1, MEMTOT)

And the other direction (Converting to GB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1), like(MEMTOT, "%M"), (substr(MEMTOT, 1, len(MEMTOT)-1)/1024), 1==1, MEMTOT)

The use of 1==1 in the case statement serves as a catch all (A nice trick for case statements) - In the event that there's no "M" or "G" we just keep the value un-altered. You could apply this method to as many fields as needed.

Reply
Solved! Jump to solution

shearsey
New Member
‎04-03-2017 03:47 PM

Gave it a whir.

Changed "sybstr" to "substr" and added a ")" before 2nd comma to get matching ('s and )'s. Now error is:
Error in 'eval' command: Typechecking failed. '/' only takes numbers.

sourcetype="uge_qhost" | eval memtot=case(like(memtot,"%G"), (substr(memtot,1,len(memtot)-1)), like(memtot, "%M"), (substr(memtot, 1, len(memtot)-1)/1024), 1==1, memtot)

Starting think doing this with sed before the data goes into splunk might be wiser.

Cheers,
Simon

0 Karma
Reply
Solved! Jump to solution

beatus
Communicator
‎04-03-2017 04:36 PM

Shearsey,
I think you're right about tackling it at the script level. If you can get it consistent then and control the script it's the way to go. I just wanted to provide a Splunk solution in the event that others do not have the ability to mod the script.

As for the eval issue, you can force the type to int with "tonumber()" like so:

|eval MEMTOT=case(like(MEMTOT, "%G"), (tonumber(substr(MEMTOT, 1, len(MEMTOT)-1))*1024), like(MEMTOT, "%M"), tonumber(substr(MEMTOT, 1, len(MEMTOT)-1)), 1==1, tonumber(MEMTOT))

Thanks for catching that typo, I had tested it so i'm not sure how i managed to mangle it after a copy and paste.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...