Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval?

anewell
Path Finder
‎05-20-2016 12:19 PM

I am collecting a PerfmonMK dataset that includes a memory value in bytes. I would like to display the value in KB. Normally, I would simply eval the value, but that's not returning anything. Is there something different about the way that multikv keynames are extracted that doesn't work with a subsequent eval? How can I display the value in KB?

Search:

sourcetype="PerfmonMK:Process_SSRS" | eval MemKB=(Working_Set_-_Private/1024)

_raw (5th field is of interest):

reportingservicesservice 0 1500 47 86646784 0.52650612403541508 0.59231938953984198

Inputs.conf

[perfmon://Process_SSRS]
interval = 60
object = Process
counters = % Processor Time; ID Process; Thread Count; Working Set - Private; IO Read Operations/sec; IO Write Operations/sec
instances = reportingservicesservice
index= perfmon
disabled = 0 
useEnglishOnly = true
showZeroValue = true
mode = multikv

Splunk Enterprise 6.3.3 on both Indexer and Universal Forwarder.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-20-2016 12:34 PM

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-20-2016 12:34 PM

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

Reply
Solved! Jump to solution

anewell
Path Finder
‎05-20-2016 12:45 PM

The rename works:
| rename Working_Set_-_Private AS AlphaOnly | eval KB=(AlphaOnly/1024) | table KB

Quoting the field name results in an implicit typeconversion, and throws "Error in 'eval' command: Typechecking failed. '/' only takes numbers."

Thanks for the rename suggestion.

0 Karma
Reply
Solved! Jump to solution

anewell
Path Finder
‎05-20-2016 12:54 PM

Convert the comment to an answer and I'll happy award your well-earned imaginary internet points!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-20-2016 12:48 PM

Try using single quotes around the field name.

...| eval KB=(' Working_Set_-_Private'/1024) | table KB
Reply
Solved! Jump to solution

anewell
Path Finder
‎05-23-2016 12:43 PM

D'oh! ...and it saves wear and tear on my Shift key! Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...