Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a decimal to an extracted value (order value recorded as int in logs)

ra01
Path Finder
‎05-09-2016 07:44 AM

I have a log with "fcTotal":"3989", that represents an order of $39.89.

I'd like to extract it as a field with a value of 39.89. How do I do this?

I have a regex that extracts the field as is, but I'm not sure how I'm supposed to add the decimal into it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 07:50 AM

Curious what happens if you just divide the field by 100.

in props:
EVAL-fcTotal=fcTotal/100

Or inline with the search:
... | eval fcTotal=fcTotal/100

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 07:50 AM

Curious what happens if you just divide the field by 100.

in props:
EVAL-fcTotal=fcTotal/100

Or inline with the search:
... | eval fcTotal=fcTotal/100

Reply
Solved! Jump to solution

ra01
Path Finder
‎05-09-2016 07:53 AM

yeah that moves the decimal, but i figured the safer thing to do is change the field so that users don't need to remember to always divide by 100 when using it.

I tried out the inline example, I'm not familiar with "props"

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 07:57 AM

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

props.conf in short needs to be placed in the SPLUNK_HOME/etc/apps/appName/local folder where appName is the splunk application your users will be searching in. To make it apply to all apps, put it in SPLUNK_HOME/etc/system/local instead.

Your props.conf will look like this:

[sourceTypeName]
EXTRACT-fcTotal = {regex to extract fcTotal}
EVAL-fcTotal = fcTotal/100

where sourceTypeName = name of the sourcetype associated with the events/data

The props.conf approach will always extract the field as such.

0 Karma
Reply
Solved! Jump to solution

ra01
Path Finder
‎05-09-2016 08:09 AM

hmm..... ok i guess i need to talk to my sys people about that.

For now the eval function will work. Thanks.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-09-2016 08:44 AM

Alternatively you can do this in the GUI too:

settings -> fields -> calculated fields (to create the /100 eval)
settings -> fields -> field extractions (to create the extraction)

http://localhost:8000/en-US/manager/launcher/data/props/calcfields
http://localhost:8000/en-US/manager/launcher/data/props/extractions

0 Karma
Reply
Solved! Jump to solution

ra01
Path Finder
‎05-09-2016 08:46 AM

I was looking at the calc fields documentation to see if i could do this there. Glad to know that's an option.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...