Splunk Search

Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval?

anewell
Path Finder

I am collecting a PerfmonMK dataset that includes a memory value in bytes. I would like to display the value in KB. Normally, I would simply eval the value, but that's not returning anything. Is there something different about the way that multikv keynames are extracted that doesn't work with a subsequent eval? How can I display the value in KB?

Search:

sourcetype="PerfmonMK:Process_SSRS" | eval MemKB=(Working_Set_-_Private/1024) 

_raw (5th field is of interest):

reportingservicesservice 0 1500 47 86646784 0.52650612403541508 0.59231938953984198 

Inputs.conf

[perfmon://Process_SSRS]
interval = 60
object = Process
counters = % Processor Time; ID Process; Thread Count; Working Set - Private; IO Read Operations/sec; IO Write Operations/sec
instances = reportingservicesservice
index= perfmon
disabled = 0 
useEnglishOnly = true
showZeroValue = true
mode = multikv

Splunk Enterprise 6.3.3 on both Indexer and Universal Forwarder.

0 Karma
1 Solution

sundareshr
Legend

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

View solution in original post

sundareshr
Legend

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

anewell
Path Finder

The rename works:
| rename Working_Set_-_Private AS AlphaOnly | eval KB=(AlphaOnly/1024) | table KB

Quoting the field name results in an implicit typeconversion, and throws "Error in 'eval' command: Typechecking failed. '/' only takes numbers."

Thanks for the rename suggestion.

0 Karma

anewell
Path Finder

Convert the comment to an answer and I'll happy award your well-earned imaginary internet points!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try using single quotes around the field name.

...| eval KB=(' Working_Set_-_Private'/1024) | table KB

anewell
Path Finder

D'oh! ...and it saves wear and tear on my Shift key! Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...