I have a nightly backup process that provides me with the total amount of data that the process offloads in a syslog message, send to my Splunk server. The data is properly indexed in Splunk and all of the default fields (host, sourcetype, and source) are correctly generated. I'd like to produce a graph that shows the amount of data that is backed up over the last week (or month or other arbitrary time frame) that I can add to a dashboard to display to other system administrators. Here are some examples of my data: 07/29/2010 07:30:37 Total number of bytes transferred: 1.20 TB 08/17/2010 07:30:37 Total number of bytes transferred: 2.00 GB 08/18/2010 01:30:37 Total number of bytes transferred: 151.0 MB 08/19/2010 03:20:37 Total number of bytes transferred: 4.15 GB 08/20/2010 03:38:37 Total number of bytes transferred: 654.40 MB As you might notice, the units of my data can be MB, GB, or TB (and probably KB as well.) This is why I'm soliciting for help. I'm pretty sure I can solve my problem by using two extracted fields here, one for the numerical value of the data (byte_number), and another for the unit value of the data (byte_unit) and perform manipulations on each field, i.e.: byte_number = 1.20, 2.00, 151.0, 4.15, 654.40, etc. byte_unit = TB, GB, MB, GB, MB, etc. However, I'd like to know if it's possible to extract just one field (bytes_transferred), and use "eval" or some other Splunk function to interpret and graph my data like this: bytes_transferred = 1.20 TB, 2.00 GB, 151.0 MB, 4.15 GB, 654.40 MB, etc. I realize that this creates an extracted field with both numerical values and text values, and I'm not sure how well Splunk's built-in functions can handle this. Any ideas on how I should proceed with my chart if I want to work with just one extracted field? ... View more