Splunk Search

Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval?

anewell
Path Finder

I am collecting a PerfmonMK dataset that includes a memory value in bytes. I would like to display the value in KB. Normally, I would simply eval the value, but that's not returning anything. Is there something different about the way that multikv keynames are extracted that doesn't work with a subsequent eval? How can I display the value in KB?

Search:

sourcetype="PerfmonMK:Process_SSRS" | eval MemKB=(Working_Set_-_Private/1024) 

_raw (5th field is of interest):

reportingservicesservice 0 1500 47 86646784 0.52650612403541508 0.59231938953984198 

Inputs.conf

[perfmon://Process_SSRS]
interval = 60
object = Process
counters = % Processor Time; ID Process; Thread Count; Working Set - Private; IO Read Operations/sec; IO Write Operations/sec
instances = reportingservicesservice
index= perfmon
disabled = 0 
useEnglishOnly = true
showZeroValue = true
mode = multikv

Splunk Enterprise 6.3.3 on both Indexer and Universal Forwarder.

0 Karma
1 Solution

sundareshr
Legend

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

View solution in original post

sundareshr
Legend

I assume you have verified the field has values. Try renaming the field to one with no hyphens. I seen strange behaviors when fields have hyphen in them. You could also try putting the field name within quotes.

anewell
Path Finder

The rename works:
| rename Working_Set_-_Private AS AlphaOnly | eval KB=(AlphaOnly/1024) | table KB

Quoting the field name results in an implicit typeconversion, and throws "Error in 'eval' command: Typechecking failed. '/' only takes numbers."

Thanks for the rename suggestion.

0 Karma

anewell
Path Finder

Convert the comment to an answer and I'll happy award your well-earned imaginary internet points!

0 Karma

somesoni2
Revered Legend

Try using single quotes around the field name.

...| eval KB=(' Working_Set_-_Private'/1024) | table KB

anewell
Path Finder

D'oh! ...and it saves wear and tear on my Shift key! Thanks.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...