Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

conditional converion

KarunK
Contributor
‎04-07-2013 06:56 PM

Hi All,

I have a field called "diskin" which can have two values in two measurements

1) K for kilobytes

2) M for megabytes

eg: diskin=9.9M, diskin=948K etc

How do i auto covert them to a single measurement say in bytes during search time ?

Thanks

Regards

KK

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-07-2013 07:02 PM

You can use the if() function in eval, along with the substr() function to check the last character of the diskin field:

... | eval bytes=if(substr(diskin,-1)=="M",diskin/(1024*1024),diskin/1024)

If you have more than two cases, it's cleaner to use the case() function. Even with only 2 cases, it's a bit of a tossup. Here's the same functionality but with the case() function.

...| eval bytes=case(substr(diskin,-1)=="M",diskin/(1024*1024), substr(diskin,-1)=="K", ,diskin/1024)

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions

UPDATE:

Sorry I forgot that those suffixes will prevent the field from being treated as a numeric field. Splunk will sometimes forgive a certain amount of strangeness and treat values as numeric anyway, but indeed it does not in this case and the division above fails.

But you can easily make yourself a numeric field by clipping off the suffix, and the overall search language then looks like:

with the eval command's if() function:

... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=if(suffix=="M",value/(1024*1024),value/1024)

with the case() function instead:

... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=case(suffix=="M",value/(1024*1024),suffix=="K",value/1024)

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-07-2013 07:02 PM

You can use the if() function in eval, along with the substr() function to check the last character of the diskin field:

... | eval bytes=if(substr(diskin,-1)=="M",diskin/(1024*1024),diskin/1024)

If you have more than two cases, it's cleaner to use the case() function. Even with only 2 cases, it's a bit of a tossup. Here's the same functionality but with the case() function.

...| eval bytes=case(substr(diskin,-1)=="M",diskin/(1024*1024), substr(diskin,-1)=="K", ,diskin/1024)

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions

UPDATE:

Sorry I forgot that those suffixes will prevent the field from being treated as a numeric field. Splunk will sometimes forgive a certain amount of strangeness and treat values as numeric anyway, but indeed it does not in this case and the division above fails.

But you can easily make yourself a numeric field by clipping off the suffix, and the overall search language then looks like:

with the eval command's if() function:

... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=if(suffix=="M",value/(1024*1024),value/1024)

with the case() function instead:

... | eval suffix=substr(diskin,-1) | eval value=substr(diskin,0,length(diskin)-1) | eval bytes=case(suffix=="M",value/(1024*1024),suffix=="K",value/1024)

Reply
Solved! Jump to solution

KarunK
Contributor
‎04-07-2013 09:46 PM

Thanks it worked....

Cheers

KK

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-07-2013 08:19 PM

Oh right. No problem. it's easy. I'll update my answer.

0 Karma
Reply
Solved! Jump to solution

KarunK
Contributor
‎04-07-2013 07:13 PM

Ies i have tried this but "diskin/1024" wont work since, diskin is alphanumeric (eg:diskin=9.9M/1024)

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...