Splunk Search

convert bytes to megabytes in report

jxjackso
Explorer

Hello.

I'm building a report with the following query:

sourcetype="access_combined" dmanager | timechart sum(bytes)

Which works, but I want to convert the bytes to megs. I tried sum(bytes/1024) but got an error when I tried this.

Any help is much appreciated.

Tags (2)
1 Solution

Simeon
Splunk Employee
Splunk Employee

You can use the eval command to make changes to values:

sourcetype="access_combined" dmanager | eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)

This will also work without the parenthesis:

... | eval megabytes=bytes/1024/1024 | 

For more detail:

http://www.splunk.com/base/Documentation/latest/SearchReference/Eval

View solution in original post

Paolo_Prigione
Builder

on 4.x you should also be able to put it all into the "timechart" command:

... | timechart eval(sum(bytes)/1024/1024) as totMBs
0 Karma

ziegfried
Influencer

Here is a little search macro that does a little more than just converting a value to megabytes - it formats the value depending on its size in GB, MB, KB or bytes. Not usable for chart, but when displaying top-lists it comes quite handy.

The definition looks like this:

if($bytes$>1073741824, tostring(round($bytes$/1073741824,2))+" GB", if($bytes$>1048576, tostring(round($bytes$/1048576,2))+" MB", if($bytes$>1024, tostring(round($bytes$/1024))+" KB", tostring($bytes$)+" Bytes")))

with the argument bytes and can be used like this:

sourcetype=access_combined | stats sum(bytes) as volume by uri | sort -volume | head 10 | eval volume=`format_bytes(volume)`

which would print out smth like:

              uri                       volume
------------------------------------- ---------
/url1                                  1.54 GB
/url2                                  656.34 MB
/url3                                  474.46 MB
/url4                                  291.72 MB
/url1                                  62.84 MB
/url1                                  26.08 MB
...                                     

sowings
Splunk Employee
Splunk Employee

In the example above, the macro is called in the search as "format_bytes", with one argument. This means that the stanza in macros.conf (or Manager -> Advanced Search -> Search macros) as format_bytes(1). The text of the macro is the first one with all of the math. The argument (as identified by the term that keeps repeating as $bytes$) is bytes. The $ $ surrounding it in the macro definition mean "place the text of the argument here."

tb5821
Communicator

How does one go about setting this up as a search macro? Looking for some step by step directions.

0 Karma

RohiniJindam
Path Finder

Any workaround for displaying the numbers in the above format in charts?

0 Karma

Simeon
Splunk Employee
Splunk Employee

You can use the eval command to make changes to values:

sourcetype="access_combined" dmanager | eval megabytes=((bytes/1024)/1024) | timechart sum(megabytes)

This will also work without the parenthesis:

... | eval megabytes=bytes/1024/1024 | 

For more detail:

http://www.splunk.com/base/Documentation/latest/SearchReference/Eval

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...