I have an alert that uses the
fieldformat command to format several fields. The fields show up as desired when viewed interactively (using the Splunk web interface), but when sent via email I see the original values, as if the
fieldformat is being ignored.
format_kb_human macro reformats a field (provided in KB) into a more human readable MB/GB value. I updated this macro from using
eval in Splunk 4.1 to use
fieldformat in Splunk 4.2. This allows proper sorting using splunk web while showing human readable numbers.
args = field
definition = fieldformat $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2), abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0
Do I have any options other than switching back to
eval? I'd rather not have two different macros for the same thing, one using
eval and the other using