I have a log with "fcTotal":"3989", that represents an order of $39.89.
I'd like to extract it as a field with a value of 39.89. How do I do this?
I have a regex that extracts the field as is, but I'm not sure how I'm supposed to add the decimal into it.
Curious what happens if you just divide the field by 100.
in props:
EVAL-fcTotal=fcTotal/100
Or inline with the search:
... | eval fcTotal=fcTotal/100
Curious what happens if you just divide the field by 100.
in props:
EVAL-fcTotal=fcTotal/100
Or inline with the search:
... | eval fcTotal=fcTotal/100
yeah that moves the decimal, but i figured the safer thing to do is change the field so that users don't need to remember to always divide by 100 when using it.
I tried out the inline example, I'm not familiar with "props"
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
props.conf in short needs to be placed in the SPLUNK_HOME/etc/apps/appName/local folder where appName is the splunk application your users will be searching in. To make it apply to all apps, put it in SPLUNK_HOME/etc/system/local instead.
Your props.conf will look like this:
[sourceTypeName]
EXTRACT-fcTotal = {regex to extract fcTotal}
EVAL-fcTotal = fcTotal/100
where sourceTypeName = name of the sourcetype associated with the events/data
The props.conf approach will always extract the field as such.
hmm..... ok i guess i need to talk to my sys people about that.
For now the eval function will work. Thanks.
Alternatively you can do this in the GUI too:
settings -> fields -> calculated fields (to create the /100 eval)
settings -> fields -> field extractions (to create the extraction)
http://localhost:8000/en-US/manager/launcher/data/props/calcfields
http://localhost:8000/en-US/manager/launcher/data/props/extractions
I was looking at the calc fields documentation to see if i could do this there. Glad to know that's an option.