Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

convert bytes to megabytes in report

jxjackso
Explorer
‎07-13-2010 03:24 PM

Hello.

I'm building a report with the following query:

sourcetype="access_combined" dmanager | timechart sum(bytes)

Which works, but I want to convert the bytes to megs. I tried sum(bytes/1024) but got an error when I tried this.

Any help is much appreciated.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-13-2010 03:46 PM

You can use the eval command to make changes to values:

sourcetype="access_combined" dmanager | eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)

This will also work without the parenthesis:

... | eval megabytes=bytes/1024/1024 |

For more detail:

http://www.splunk.com/base/Documentation/latest/SearchReference/Eval

View solution in original post

Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎07-13-2010 08:31 PM

on 4.x you should also be able to put it all into the "timechart" command:

... | timechart eval(sum(bytes)/1024/1024) as totMBs
0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎07-13-2010 08:16 PM

Here is a little search macro that does a little more than just converting a value to megabytes - it formats the value depending on its size in GB, MB, KB or bytes. Not usable for chart, but when displaying top-lists it comes quite handy.

The definition looks like this:

if($bytes$>1073741824, tostring(round($bytes$/1073741824,2))+" GB", if($bytes$>1048576, tostring(round($bytes$/1048576,2))+" MB", if($bytes$>1024, tostring(round($bytes$/1024))+" KB", tostring($bytes$)+" Bytes")))

with the argument bytes and can be used like this:

sourcetype=access_combined | stats sum(bytes) as volume by uri | sort -volume | head 10 | eval volume=`format_bytes(volume)`

which would print out smth like:

              uri                       volume
------------------------------------- ---------
/url1                                  1.54 GB
/url2                                  656.34 MB
/url3                                  474.46 MB
/url4                                  291.72 MB
/url1                                  62.84 MB
/url1                                  26.08 MB
...
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎09-17-2013 06:52 AM

In the example above, the macro is called in the search as "format_bytes", with one argument. This means that the stanza in macros.conf (or Manager -> Advanced Search -> Search macros) as format_bytes(1). The text of the macro is the first one with all of the math. The argument (as identified by the term that keeps repeating as $bytes$) is bytes. The $ $ surrounding it in the macro definition mean "place the text of the argument here."

Reply
Solved! Jump to solution

tb5821
Communicator
‎09-17-2013 06:17 AM

How does one go about setting this up as a search macro? Looking for some step by step directions.

0 Karma
Reply
Solved! Jump to solution

RohiniJindam
Path Finder
‎06-27-2013 06:28 AM

Any workaround for displaying the numbers in the above format in charts?

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎07-13-2010 03:46 PM

You can use the eval command to make changes to values:

sourcetype="access_combined" dmanager | eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)

This will also work without the parenthesis:

... | eval megabytes=bytes/1024/1024 |

For more detail:

http://www.splunk.com/base/Documentation/latest/SearchReference/Eval

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...