Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval?

anewell
Path Finder
‎05-20-2016 12:19 PM

I am collecting a PerfmonMK dataset that includes a memory value in bytes. I would like to display the value in KB. Normally, I would simply eval the value, but that's not returning anything. Is there something different about the way that multikv keynames are extracted that doesn't work with a subsequent eval? How can I display the value in KB?

Search:

sourcetype="PerfmonMK:Process_SSRS" | eval MemKB=(Working_Set_-_Private/1024)

_raw (5th field is of interest):

reportingservicesservice 0 1500 47 86646784 0.52650612403541508 0.59231938953984198

Inputs.conf

[perfmon://Process_SSRS]
interval = 60
object = Process
counters = % Processor Time; ID Process; Thread Count; Working Set - Private; IO Read Operations/sec; IO Write Operations/sec
instances = reportingservicesservice
index= perfmon
disabled = 0 
useEnglishOnly = true
showZeroValue = true
mode = multikv

Splunk Enterprise 6.3.3 on both Indexer and Universal Forwarder.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-20-2016 12:34 PM

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-20-2016 12:34 PM

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

Reply
Solved! Jump to solution

anewell
Path Finder
‎05-20-2016 12:45 PM

The rename works:
| rename Working_Set_-_Private AS AlphaOnly | eval KB=(AlphaOnly/1024) | table KB

Quoting the field name results in an implicit typeconversion, and throws "Error in 'eval' command: Typechecking failed. '/' only takes numbers."

Thanks for the rename suggestion.

0 Karma
Reply
Solved! Jump to solution

anewell
Path Finder
‎05-20-2016 12:54 PM

Convert the comment to an answer and I'll happy award your well-earned imaginary internet points!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-20-2016 12:48 PM

Try using single quotes around the field name.

...| eval KB=(' Working_Set_-_Private'/1024) | table KB
Reply
Solved! Jump to solution

anewell
Path Finder
‎05-23-2016 12:43 PM

D'oh! ...and it saves wear and tear on my Shift key! Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...