Field Units

A data type may be configured for the actual and typical values of an Anomaly Search, making it easier for the user to understand numeric values displayed in the views of the app. So for example a webserver response time can be displayed as a number of milliseconds such as 234ms, or a volume of data displayed in bytes such as 110KB. Formatting of configured fields will then be performed automatically throughout the result views in the app, such as the Anomaly Search Results view, Entity View and Insight View.

Lookup Editor

Insight View showing volumes of data exfiltrated formatted as Bytes and KB

How it works

Three CSV lookups in the app define mappings of field names to the units of the values of those fields:

Lookup Description
field_units_search.csv

Mappings specific to a particular Anomaly Search.

The lookup defines three fields - the Anomaly Search name, name of the field, and the units to use for the value of that field.

field_units_group.csv

Mappings specific to a particular Anomaly Search group.

The lookup defines three fields - the name of the Anomaly Search group, name of the field, and the units to use for the value of that field.

field_units_global.csv

Global mappings to use if a more specific mapping is not found in the search or group lookups.

The lookup defines two fields - the name of the field, and the units to use for the value of that field.

Units defined for a specific search will take precedence over units defined for a search group, and these in turn take precedence over global field units.

Out-of-the-box values have been included, with the global field_units_global.csv containing a selection of fields defined in Splunk’s Common Information Model (CIM).

Formatting of values in dashboards

The views in the app use these mappings to format the actual and typical values of fields defined in the lookups for display. For fields not defined in the lookups, the values will be displayed as-is without units. The units that are currently recognized for custom formatting are:

Unit Dashboard formatting
bytes Uses powers of 1024 conversion to display in Bytes, KB, MB, GB or TB according to the value size.
megabytes As bytes, but value is first multiplied by 1048576.
milliseconds ms is appended for display, with the value formatted according to the locale of the Splunk user.
seconds s is appended for display, with the value formatted according to the locale of the Splunk user.
percent ‘%’ is appended for display.

Configuration

The Lookup File Editor App for Splunk Enterprise can be used to add, edit or delete entries in the field unit lookups. If not already installed in your Splunk deployment, this can be downloaded from Splunkbase at https://splunkbase.splunk.com/app/1724/.

Lookup Editor

Editing the Search-specific CSV lookup with the Lookup File Editor App for Splunk Enterprise

Alternatively if you have access to the file system, the field units lookups can be edited by modifying the CSV files directly. The files can be found in the directory:

$SPLUNK_HOME/etc/apps/prelert/lookups

So for example to add an extra mapping for search groups, add an extra row specifying the name of the group, name of the field, and the unit to use for display:

prelertsearchgroup,prelert.valuefield,prelertgroupunit
security,cs_bytes,bytes
security,sc_bytes,bytes

This page

Browse

You are here