- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a field called "diskin" which can have two values in two measurements
1) K for kilobytes
2) M for megabytes
eg: diskin=9.9M, diskin=948K etc
How do i auto covert them to a single measurement say in bytes during search time ?
Thanks
Regards
KK
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the if() function in eval, along with the substr() function to check the last character of the diskin field:
... | eval bytes=if(substr(diskin,-1)=="M",diskin/(1024*1024),diskin/1024)
If you have more than two cases, it's cleaner to use the case() function. Even with only 2 cases, it's a bit of a tossup. Here's the same functionality but with the case() function.
...| eval bytes=case(substr(diskin,-1)=="M",diskin/(1024*1024), substr(diskin,-1)=="K", ,diskin/1024)
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions
UPDATE:
Sorry I forgot that those suffixes will prevent the field from being treated as a numeric field. Splunk will sometimes forgive a certain amount of strangeness and treat values as numeric anyway, but indeed it does not in this case and the division above fails.
But you can easily make yourself a numeric field by clipping off the suffix, and the overall search language then looks like:
with the eval command's if() function:
... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=if(suffix=="M",value/(1024*1024),value/1024)
with the case() function instead:
... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=case(suffix=="M",value/(1024*1024),suffix=="K",value/1024)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the if() function in eval, along with the substr() function to check the last character of the diskin field:
... | eval bytes=if(substr(diskin,-1)=="M",diskin/(1024*1024),diskin/1024)
If you have more than two cases, it's cleaner to use the case() function. Even with only 2 cases, it's a bit of a tossup. Here's the same functionality but with the case() function.
...| eval bytes=case(substr(diskin,-1)=="M",diskin/(1024*1024), substr(diskin,-1)=="K", ,diskin/1024)
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions
UPDATE:
Sorry I forgot that those suffixes will prevent the field from being treated as a numeric field. Splunk will sometimes forgive a certain amount of strangeness and treat values as numeric anyway, but indeed it does not in this case and the division above fails.
But you can easily make yourself a numeric field by clipping off the suffix, and the overall search language then looks like:
with the eval command's if() function:
... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=if(suffix=="M",value/(1024*1024),value/1024)
with the case() function instead:
... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=case(suffix=="M",value/(1024*1024),suffix=="K",value/1024)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks it worked....
Cheers
KK
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh right. No problem. it's easy. I'll update my answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ies i have tried this but "diskin/1024" wont work since, diskin is alphanumeric (eg:diskin=9.9M/1024)
