Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert bytes to megabytes for use in my timechart search?

sundaresh83
Explorer
‎03-31-2015 10:15 AM

Hi,

I am writing a search: 

timechart span=1h sum(Bytes) AS "MBytes "

In the same search, I want it to return Mb instead of bytes ie. bytes/1000000.
So I tried: 

stats sum(eval in_mB =Bytes/1000000) as "MBytes"

But just eval in_mB =Bytes/1000000 works. Can I store this as a column for future use instead of rewriting it? How do I do it?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

ppablo
Retired
‎03-31-2015 10:35 AM

Hi sundaresh83

What if you just do the eval conversion separately before the timechart?

(your base search) | eval in_mB=Bytes/1000000 | timechart span=1h sum(in_mB) as "MBytes"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Patient
Path Finder
‎03-31-2015 10:38 AM

Hi,

Try with:

 | eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)
Reply
Solved! Jump to solution

Patient
Path Finder
‎03-31-2015 10:47 AM

Hi!

have you tried with the above search query?

0 Karma
Reply
Solved! Jump to solution

Patient
Path Finder
‎03-31-2015 11:11 AM

Thank you for your vote!

0 Karma
Reply
Solved! Jump to solution

sundaresh83
Explorer
‎03-31-2015 11:06 AM

works... thanks...

0 Karma
Reply
Solved! Jump to solution
Solution

ppablo
Retired
‎03-31-2015 10:35 AM

Hi sundaresh83

What if you just do the eval conversion separately before the timechart?

(your base search) | eval in_mB=Bytes/1000000 | timechart span=1h sum(in_mB) as "MBytes"
0 Karma
Reply
Solved! Jump to solution

Patient
Path Finder
‎03-31-2015 11:09 AM

Hi!
Note that 1Mb=1024*1024 Bytes

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎03-31-2015 11:16 AM

yup, @Patient's calculation below will be more accurate

0 Karma
Reply
Solved! Jump to solution

sundaresh83
Explorer
‎03-31-2015 10:40 AM

@ppablo_splunk
This will work, but I do now want it to return the "in_mB value and the sum value.
I want my query to return only the sum value in MB.

0 Karma
Reply
Solved! Jump to solution

sundaresh83
Explorer
‎03-31-2015 11:05 AM

works... thanks..

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top