- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to get results to displa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to get results to display volume as BYTES, KB, MB, GB, and TB?
Hello,
I have search and currently the results show in MB. For example:
Current Search:
Vol in MB
112435
9734
29845
725634
3564476
233463
I would like to have it show up as like the below example:
Volume
723 MB
14MB
12KB
12GB
1.2 TB
Here is the search context which we are using:
index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval "Vol in MB"=round(sbytes/1024/1024) | rename sparkline AS Distribution | table Application "Vol in MB" Distribution
Result:
Application.........................Vol in MB................. Distribution
Quic...................................... 342
Wb-Browsing........................306
SSL.........................................26
MS-SMS.................................14
Google-Base.........................13
Skype.....................................3
MS-Update............................2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (you may have to fix the math 🙂 )
| eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added what you posted to my search but now the values are showing up blank under "Vol in MB"
Here is my complete search now.
index=pan_logs $vsys_name$ eventtype=pan_traffic action=allowed | stats sparkline sum(bytes) AS sbytes by app | sort -sbytes | head 8 | eval Application=upper(app) | eval Volume=case(sbytes<=1024, sbytes." B", sbytes>1024 AND sbytes<=(1024*1024), round(sbytes/(1024),1)." KB", sbytes>(1024*1024) AND sbytes<=(1024*1024*1024), round(sbytes/(1024*1024), 1)." MB", sbytes>(1024*1024*1024) AND sbytes<=(1024*1024*1024*1024), round(sbytes/(1024*1024*1024), 1)." GB", sbytes>(1024*1024*1024*1024), round(sbytes/(1024*1024*1024*1024), 1)." TB", 1=1, "UNK") | rename sparkline AS Distribution | table Application "Vol in MB" Distribution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change "Vol in MB" to Volume, in your last table segment. Like this
| table Application Volume Distribution
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
