Hi,
I am writing a search:
timechart span=1h sum(Bytes) AS "MBytes "
In the same search, I want it to return Mb instead of bytes ie. bytes/1000000.
So I tried:
stats sum(eval in_mB =Bytes/1000000) as "MBytes"
But just eval in_mB =Bytes/1000000
works. Can I store this as a column for future use instead of rewriting it? How do I do it?
Hi sundaresh83
What if you just do the eval conversion separately before the timechart?
(your base search) | eval in_mB=Bytes/1000000 | timechart span=1h sum(in_mB) as "MBytes"
Hi,
Try with:
| eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)
Hi!
have you tried with the above search query?
Thank you for your vote!
works... thanks...
Hi sundaresh83
What if you just do the eval conversion separately before the timechart?
(your base search) | eval in_mB=Bytes/1000000 | timechart span=1h sum(in_mB) as "MBytes"
Hi!
Note that 1Mb=1024*1024 Bytes
yup, @Patient's calculation below will be more accurate
@ppablo_splunk
This will work, but I do now want it to return the "in_mB value and the sum value.
I want my query to return only the sum value in MB.
works... thanks..