Using the scale command, you can scale fields matching a pattern by a fixed scale or by a field from each event. This replaces multiple calls to eval for transforming several fields from one unit to the other, such as byte to Megabyte. Optionally you can specify rounding to any precision and choose between division and multiplication to scale up or down easily.
... | scale scale=1048576 pattern=byte round=0
Converts fields matching the pattern "byte" to megabyte, rounding to whole MB.
... | scale scale=60 pattern="^[^_]"
Converts every numeric field not starting with an underscore, e.g. _time, from seconds to minutes.
... | scale field=Total pattern="^sum" | scale scale=100 pattern="^sum" round=2 inverse=t
Translates every field starting with "sum" into percentages of Total, rounded to two decimal places.
Here's how the examples from above would look like using the foreach
command added in Splunk 6:
... | foreach *byte* [eval <<FIELD>> = round(<<FIELD>> / 1048576)]
Matching for "field doesn't start with an underscore" isn't possible with only wildcards, so example 2 still requires the scale
command.
... | foreach sum* [eval <<FIELD>> = round(<<FIELD>> / Total * 100, 2)]
scale (scale= | field=) pattern= [round=] [inverse=t]
Added support for scaling by a field.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.