Solved: How do I filter event by specifiing bytes>(1024*10...

melonman · ‎09-27-2012

Hi,

I am trying to search:

sourcetype=access* bytes>1024*10

But this returns event bytes less than 1024, and the result looks wrong.
Is there anyway to add calculation on the right side of field?

Thank you,

gkanapathy · ‎09-27-2012

You can use the where search command:

sourcetype=access* | where bytes>1024*10

Or, you can create a macro in macros.conf:

[evaluate(1)]
args = x
definition = tostring($x$)
iseval = true

Once you have this macro defined and scoped for your app, you can do this:

sourcetype=access* bytes > `evaluate(1024*10)`

In some circumstances (which are rare, and probably not applicable in your case) in newer versions of Splunk, the latter may perform considerably faster. In most cases, though, it will be about the same.

View solution in original post

gkanapathy · ‎09-27-2012

You can use the where search command:

sourcetype=access* | where bytes>1024*10

Or, you can create a macro in macros.conf:

[evaluate(1)]
args = x
definition = tostring($x$)
iseval = true

Once you have this macro defined and scoped for your app, you can do this:

sourcetype=access* bytes > `evaluate(1024*10)`

In some circumstances (which are rare, and probably not applicable in your case) in newer versions of Splunk, the latter may perform considerably faster. In most cases, though, it will be about the same.

chris · ‎09-27-2012

Hi

Try this

sourcetype=access* | where bytes>1024*10

To verify your it is working you can try this search:

 sourcetype=access*|where bytes>10*1024 | table bytes | sort bytes

How do I filter event by specifiing bytes>(1024*10), having simple calculation on the right side of the field?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes