Splunk Search

Formatting lost using fieldformat when alerting via email

Lowell
Super Champion

I have an alert that uses the fieldformat command to format several fields. The fields show up as desired when viewed interactively (using the Splunk web interface), but when sent via email I see the original values, as if the fieldformat is being ignored.

My format_kb_human macro reformats a field (provided in KB) into a more human readable MB/GB value. I updated this macro from using eval in Splunk 4.1 to use fieldformat in Splunk 4.2. This allows proper sorting using splunk web while showing human readable numbers.

[format_kb_human(1)]
args = field
definition = fieldformat $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0

Do I have any options other than switching back to eval? I'd rather not have two different macros for the same thing, one using eval and the other using fieldformat.

dart
Splunk Employee
Splunk Employee

Your only option is to use eval, but there is a neat trick we can use to make it a little less painful.

[format_kb_human(1)]
 args = field
 definition = `format_kb_human($field$,"fieldformat")`
 iseval = 0

[format_kb_human(2)]
 args = field, command
 definition = `command` $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
 iseval = 0

Then you can replace it in your alert search string with the 2nd parameter being "eval".

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on