Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Formatting lost using fieldformat when alerting via email

Lowell
Super Champion
‎03-13-2012 08:25 AM

I have an alert that uses the fieldformat command to format several fields. The fields show up as desired when viewed interactively (using the Splunk web interface), but when sent via email I see the original values, as if the fieldformat is being ignored.

My format_kb_human macro reformats a field (provided in KB) into a more human readable MB/GB value. I updated this macro from using eval in Splunk 4.1 to use fieldformat in Splunk 4.2. This allows proper sorting using splunk web while showing human readable numbers.

[format_kb_human(1)]
args = field
definition = fieldformat $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0

Do I have any options other than switching back to eval? I'd rather not have two different macros for the same thing, one using eval and the other using fieldformat.

Reply

dart
Splunk Employee
Splunk Employee
‎02-27-2015 02:40 AM

Your only option is to use eval, but there is a neat trick we can use to make it a little less painful.

[format_kb_human(1)]
 args = field
 definition = `format_kb_human($field$,"fieldformat")`
 iseval = 0

[format_kb_human(2)]
 args = field, command
 definition = `command` $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
 iseval = 0

Then you can replace it in your alert search string with the 2nd parameter being "eval".

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top