The format_bytes function formats a numeric value as a human-readable string representing data size in bytes with appropriate units (KB, MB, GB, etc.). Use this function to make byte values more readable in reports, dashboards, and log analysis.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk SPL, you typically need custom eval expressions or lookup tables to format bytes. APL's format_bytes provides this functionality natively.

```sql Splunk example | eval size_str=if(resp_header_size_bytes<1024, resp_header_size_bytes." B", if(resp_header_size_bytes<1048576, round(resp_header_size_bytes/1024,2)." KB", round(resp_header_size_bytes/1048576,2)." MB")) ``` 
['sample-http-logs']
| extend size_str = format_bytes(resp_header_size_bytes)

In ANSI SQL, formatting bytes requires complex CASE statements. APL's format_bytes simplifies this operation.

```sql SQL example SELECT CASE WHEN resp_header_size_bytes < 1024 THEN CONCAT(resp_header_size_bytes, ' B') WHEN resp_header_size_bytes < 1048576 THEN CONCAT(ROUND(resp_header_size_bytes/1024, 2), ' KB') ELSE CONCAT(ROUND(resp_header_size_bytes/1048576, 2), ' MB') END AS size_str FROM logs; ``` 
['sample-http-logs']
| extend size_str = format_bytes(resp_header_size_bytes)

Usage

Syntax

format_bytes(value, precision, units, base)

Parameters

Name Type Required Description
value number Yes The numeric value representing bytes to format.
precision number No Number of decimal places (default: 0).
units string No Target units. If omitted, units are auto-selected. Base 2 suffixes: Bytes, KiB, KB, MiB, MB, GiB, GB, TiB, TB, PiB, EiB, ZiB, YiB. Base 10 suffixes: kB, MB, GB, TB, PB, EB, ZB, YB.
base number No Either 2 (default, 1024-based) or 10 (1000-based) for unit calculations.

Returns

Returns a formatted string representing the byte value with appropriate units.

Use case examples

Format response header sizes as human-readable values for better analysis of payload patterns.

Query

['sample-http-logs']
| extend formatted_size = format_bytes(resp_header_size_bytes, 2)
| summarize avg_size = avg(resp_header_size_bytes), formatted_avg = format_bytes(toint(avg(resp_header_size_bytes)), 2) by status
| sort by avg_size desc
| limit 10

Run in Playground

Output

status avg_size formatted_avg
500 8765432 8.36 MB
200 3456789 3.30 MB
404 1234567 1.18 MB
301 456789 446.08 KB

This query formats average response header sizes by HTTP status code, making it easier to identify which status codes are associated with larger data transfers.

Format response header sizes for failed authentication attempts to identify potential data exfiltration or unusual payload patterns.

Query

['sample-http-logs']
| where status == '403' or status == '401'
| extend formatted_size = format_bytes(resp_header_size_bytes, 1)
| summarize failed_attempts = count(), avg_size = format_bytes(toint(avg(resp_header_size_bytes)), 1) by status
| sort by failed_attempts desc

Run in Playground

Output

status failed_attempts avg_size
401 1234 850.0 KB
403 987 720.0 KB

This query formats average response header sizes, helping identify unusual payload patterns that might indicate security issues.
  • parse_bytes: Parses a formatted byte string back to a numeric value. Use this to reverse the formatting operation.
  • strlen: Returns the length of a string in characters. Use this when you need character count rather than byte formatting.

Good morning

I'm here to help you with the docs.

I
AIBased on your context