Hello,
I have search and currently the results show in MB. For example:
Current Search:
Vol in MB
112435
9734
29845
725634
3564476
233463
I would like to have it show up as like the below example:
Volume
723 MB
14MB
12KB
12GB
1.2 TB
Here is the search context which we are using:
index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval "Vol in MB"=round(sbytes/1024/1024) | rename sparkline AS Distribution | table Application "Vol in MB" Distribution
Result:
Application.........................Vol in MB................. Distribution
Quic...................................... 342
Wb-Browsing........................306
SSL.........................................26
MS-SMS.................................14
Google-Base.........................13
Skype.....................................3
MS-Update............................2
Try this (you may have to fix the math 🙂 )
| eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK")
I added what you posted to my search but now the values are showing up blank under "Vol in MB"
Here is my complete search now.
index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK") | rename sparkline AS Distribution | table Application "Vol in MB" Distribution
Change "Vol in MB" to Volume, in your last table segment. Like this
| table Application Volume Distribution