Splunk Search

Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval?

anewell
Path Finder

I am collecting a PerfmonMK dataset that includes a memory value in bytes. I would like to display the value in KB. Normally, I would simply eval the value, but that's not returning anything. Is there something different about the way that multikv keynames are extracted that doesn't work with a subsequent eval? How can I display the value in KB?

Search:

sourcetype="PerfmonMK:Process_SSRS" | eval MemKB=(Working_Set_-_Private/1024) 

_raw (5th field is of interest):

reportingservicesservice 0 1500 47 86646784 0.52650612403541508 0.59231938953984198 

Inputs.conf

[perfmon://Process_SSRS]
interval = 60
object = Process
counters = % Processor Time; ID Process; Thread Count; Working Set - Private; IO Read Operations/sec; IO Write Operations/sec
instances = reportingservicesservice
index= perfmon
disabled = 0 
useEnglishOnly = true
showZeroValue = true
mode = multikv

Splunk Enterprise 6.3.3 on both Indexer and Universal Forwarder.

0 Karma
1 Solution

sundareshr
Legend

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

View solution in original post

sundareshr
Legend

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

anewell
Path Finder

The rename works:
| rename Working_Set_-_Private AS AlphaOnly | eval KB=(AlphaOnly/1024) | table KB

Quoting the field name results in an implicit typeconversion, and throws "Error in 'eval' command: Typechecking failed. '/' only takes numbers."

Thanks for the rename suggestion.

0 Karma

anewell
Path Finder

Convert the comment to an answer and I'll happy award your well-earned imaginary internet points!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try using single quotes around the field name.

...| eval KB=(' Working_Set_-_Private'/1024) | table KB

anewell
Path Finder

D'oh! ...and it saves wear and tear on my Shift key! Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...