Splunk Search

convert bytes to megabytes in report

jxjackso
Explorer

Hello.

I'm building a report with the following query:

sourcetype="access_combined" dmanager | timechart sum(bytes)

Which works, but I want to convert the bytes to megs. I tried sum(bytes/1024) but got an error when I tried this.

Any help is much appreciated.

Tags (2)
1 Solution

Simeon
Splunk Employee
Splunk Employee

You can use the eval command to make changes to values:

sourcetype="access_combined" dmanager | eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)

This will also work without the parenthesis:

... | eval megabytes=bytes/1024/1024 | 

For more detail:

http://www.splunk.com/base/Documentation/latest/SearchReference/Eval

View solution in original post

Paolo_Prigione
Builder

on 4.x you should also be able to put it all into the "timechart" command:

... | timechart eval(sum(bytes)/1024/1024) as totMBs
0 Karma

ziegfried
Influencer

Here is a little search macro that does a little more than just converting a value to megabytes - it formats the value depending on its size in GB, MB, KB or bytes. Not usable for chart, but when displaying top-lists it comes quite handy.

The definition looks like this:

if($bytes$>1073741824, tostring(round($bytes$/1073741824,2))+" GB", if($bytes$>1048576, tostring(round($bytes$/1048576,2))+" MB", if($bytes$>1024, tostring(round($bytes$/1024))+" KB", tostring($bytes$)+" Bytes")))

with the argument bytes and can be used like this:

sourcetype=access_combined | stats sum(bytes) as volume by uri | sort -volume | head 10 | eval volume=`format_bytes(volume)`

which would print out smth like:

              uri                       volume
------------------------------------- ---------
/url1                                  1.54 GB
/url2                                  656.34 MB
/url3                                  474.46 MB
/url4                                  291.72 MB
/url1                                  62.84 MB
/url1                                  26.08 MB
...                                     

sowings
Splunk Employee
Splunk Employee

In the example above, the macro is called in the search as "format_bytes", with one argument. This means that the stanza in macros.conf (or Manager -> Advanced Search -> Search macros) as format_bytes(1). The text of the macro is the first one with all of the math. The argument (as identified by the term that keeps repeating as $bytes$) is bytes. The $ $ surrounding it in the macro definition mean "place the text of the argument here."

tb5821
Communicator

How does one go about setting this up as a search macro? Looking for some step by step directions.

0 Karma

RohiniJindam
Path Finder

Any workaround for displaying the numbers in the above format in charts?

0 Karma

Simeon
Splunk Employee
Splunk Employee

You can use the eval command to make changes to values:

sourcetype="access_combined" dmanager | eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)

This will also work without the parenthesis:

... | eval megabytes=bytes/1024/1024 | 

For more detail:

http://www.splunk.com/base/Documentation/latest/SearchReference/Eval

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...