Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Formatting lost using fieldformat when alerting via email

Lowell
Super Champion
‎03-13-2012 08:25 AM

I have an alert that uses the fieldformat command to format several fields. The fields show up as desired when viewed interactively (using the Splunk web interface), but when sent via email I see the original values, as if the fieldformat is being ignored.

My format_kb_human macro reformats a field (provided in KB) into a more human readable MB/GB value. I updated this macro from using eval in Splunk 4.1 to use fieldformat in Splunk 4.2. This allows proper sorting using splunk web while showing human readable numbers.

[format_kb_human(1)]
args = field
definition = fieldformat $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0

Do I have any options other than switching back to eval? I'd rather not have two different macros for the same thing, one using eval and the other using fieldformat.

Reply

dart
Splunk Employee
Splunk Employee
‎02-27-2015 02:40 AM

Your only option is to use eval, but there is a neat trick we can use to make it a little less painful.

[format_kb_human(1)]
 args = field
 definition = `format_kb_human($field$,"fieldformat")`
 iseval = 0

[format_kb_human(2)]
 args = field, command
 definition = `command` $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
 iseval = 0

Then you can replace it in your alert search string with the 2nd parameter being "eval".

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Top