Splunk Search
Highlighted

How to change the unit values (5G to 5 and 400M to .4) for a scripted input?

New Member

I have scripted output from UGE qhost command that gives memory in G (GBs) or if less than 1GB, in M (MBs). I'd like to timechart the information so I need them as numeric fields with same units. I can strip the G's out in my shell script to give numeric field but also need to change M values by dividing by 1024 (ideally) or could round up anything in MB's up to 1.

-Original -

HOSTNAME                ARCH         NCPU NSOC NCOR NTHR NLOAD  MEMTOT  MEMUSE  SWAPTO  SWAPUS
----------------------------------------------------------------------------------------------
grc106                  lx-amd64       24    2   12   24  0.19   94.5G    3.1G   16.0G     0.0
grc108                  lx-amd64       24    2   12   24  0.00   94.5G 512.0M   16.0G     0.0

-Would like to be -

grc106                  lx-amd64       24    2   12   24  0.19   94.5   3.1   16.0     0.0
grc108                  lx-amd64       24    2   12   24  0.00   94.5  .50   16.0     0.0

TIA,
Simon

0 Karma
Highlighted

Re: How to change the unit values (5G to 5 and 400M to .4) for a scripted input?

SplunkTrust
SplunkTrust

You're probably best doing everything in MB, then you can convert to GB when you'd prefer to display that way. Best of both worlds, so you don't lose resolution.

You could accomplish this in Splunk with existing data dealing with both cases by the use of eval too (In this case, converting all to MB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1)*1024), like(MEMTOT, "%M"), substr(MEMTOT, 1, len(MEMTOT)-1), 1==1, MEMTOT)

And the other direction (Converting to GB):

|eval MEMTOT=case(like(MEMTOT, "%G"), (substr(MEMTOT, 1, len(MEMTOT)-1), like(MEMTOT, "%M"), (substr(MEMTOT, 1, len(MEMTOT)-1)/1024), 1==1, MEMTOT)

The use of 1==1 in the case statement serves as a catch all (A nice trick for case statements) - In the event that there's no "M" or "G" we just keep the value un-altered. You could apply this method to as many fields as needed.

View solution in original post

Highlighted

Re: How to change the unit values (5G to 5 and 400M to .4) for a scripted input?

New Member

Gave it a whir.

Changed "sybstr" to "substr" and added a ")" before 2nd comma to get matching ('s and )'s. Now error is:
Error in 'eval' command: Typechecking failed. '/' only takes numbers.

sourcetype="uge_qhost" | eval memtot=case(like(memtot,"%G"), (substr(memtot,1,len(memtot)-1)), like(memtot, "%M"), (substr(memtot, 1, len(memtot)-1)/1024), 1==1, memtot)

Starting think doing this with sed before the data goes into splunk might be wiser.

Cheers,
Simon

0 Karma
Highlighted

Re: How to change the unit values (5G to 5 and 400M to .4) for a scripted input?

SplunkTrust
SplunkTrust

Shearsey,
I think you're right about tackling it at the script level. If you can get it consistent then and control the script it's the way to go. I just wanted to provide a Splunk solution in the event that others do not have the ability to mod the script.

As for the eval issue, you can force the type to int with "tonumber()" like so:

|eval MEMTOT=case(like(MEMTOT, "%G"), (tonumber(substr(MEMTOT, 1, len(MEMTOT)-1))*1024), like(MEMTOT, "%M"), tonumber(substr(MEMTOT, 1, len(MEMTOT)-1)), 1==1, tonumber(MEMTOT))

Thanks for catching that typo, I had tested it so i'm not sure how i managed to mangle it after a copy and paste.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.