Splunk Search

How to add a decimal to an extracted value (order value recorded as int in logs)

ra01
Path Finder

I have a log with "fcTotal":"3989", that represents an order of $39.89.

I'd like to extract it as a field with a value of 39.89. How do I do this?

I have a regex that extracts the field as is, but I'm not sure how I'm supposed to add the decimal into it.

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Curious what happens if you just divide the field by 100.

in props:
EVAL-fcTotal=fcTotal/100

Or inline with the search:
... | eval fcTotal=fcTotal/100

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Curious what happens if you just divide the field by 100.

in props:
EVAL-fcTotal=fcTotal/100

Or inline with the search:
... | eval fcTotal=fcTotal/100

ra01
Path Finder

yeah that moves the decimal, but i figured the safer thing to do is change the field so that users don't need to remember to always divide by 100 when using it.

I tried out the inline example, I'm not familiar with "props"

0 Karma

jkat54
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

props.conf in short needs to be placed in the SPLUNK_HOME/etc/apps/appName/local folder where appName is the splunk application your users will be searching in. To make it apply to all apps, put it in SPLUNK_HOME/etc/system/local instead.

Your props.conf will look like this:

[sourceTypeName]
EXTRACT-fcTotal = {regex to extract fcTotal}
EVAL-fcTotal = fcTotal/100

where sourceTypeName = name of the sourcetype associated with the events/data

The props.conf approach will always extract the field as such.

0 Karma

ra01
Path Finder

hmm..... ok i guess i need to talk to my sys people about that.

For now the eval function will work. Thanks.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Alternatively you can do this in the GUI too:

settings -> fields -> calculated fields (to create the /100 eval)
settings -> fields -> field extractions (to create the extraction)

http://localhost:8000/en-US/manager/launcher/data/props/calcfields
http://localhost:8000/en-US/manager/launcher/data/props/extractions

0 Karma

ra01
Path Finder

I was looking at the calc fields documentation to see if i could do this there. Glad to know that's an option.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...