Splunk Search

How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB?

elijahputnam
New Member

Hello,

I have search and currently the results show in MB. For example:

Current Search:

Vol in MB
112435
9734
29845
725634
3564476
233463

I would like to have it show up as like the below example:

Volume
723 MB
14MB
12KB
12GB
1.2 TB

Here is the search context which we are using:

index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed   | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval "Vol in MB"=round(sbytes/1024/1024) | rename sparkline AS Distribution | table Application "Vol in MB" Distribution

Result:

Application.........................Vol in MB................. Distribution
Quic...................................... 342
Wb-Browsing........................306

SSL.........................................26
MS-SMS.................................14
Google-Base.........................13
Skype.....................................3
MS-Update............................2

Tags (3)
0 Karma

sundareshr
Legend

Try this (you may have to fix the math 🙂 )

| eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK")
0 Karma

elijahputnam
New Member

I added what you posted to my search but now the values are showing up blank under "Vol in MB"

Here is my complete search now.

index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK") | rename sparkline AS Distribution | table Application "Vol in MB" Distribution

0 Karma

sundareshr
Legend

Change "Vol in MB" to Volume, in your last table segment. Like this

 | table Application Volume Distribution
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...