Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB?

elijahputnam
New Member
‎08-25-2016 11:17 AM

Hello,

I have search and currently the results show in MB. For example:

Current Search:

Vol in MB
112435
9734
29845
725634
3564476
233463

I would like to have it show up as like the below example:

Volume
723 MB
14MB
12KB
12GB
1.2 TB

Here is the search context which we are using:

index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed   | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval "Vol in MB"=round(sbytes/1024/1024) | rename sparkline AS Distribution | table Application "Vol in MB" Distribution

Result:

Application.........................Vol in MB................. Distribution
Quic...................................... 342
Wb-Browsing........................306

SSL.........................................26
MS-SMS.................................14
Google-Base.........................13
Skype.....................................3
MS-Update............................2

Tags (3)
0 Karma
Reply

sundareshr
Legend
‎08-25-2016 11:50 AM

Try this (you may have to fix the math 🙂 )

| eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK")
0 Karma
Reply

elijahputnam
New Member
‎08-25-2016 12:16 PM

I added what you posted to my search but now the values are showing up blank under "Vol in MB"

Here is my complete search now.

index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK") | rename sparkline AS Distribution | table Application "Vol in MB" Distribution

0 Karma
Reply

sundareshr
Legend
‎08-25-2016 12:43 PM

Change "Vol in MB" to Volume, in your last table segment. Like this

 | table Application Volume Distribution
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...