Splunk Search
Highlighted

How to add a decimal to an extracted value (order value recorded as int in logs)

Path Finder

I have a log with "fcTotal":"3989", that represents an order of $39.89.

I'd like to extract it as a field with a value of 39.89. How do I do this?

I have a regex that extracts the field as is, but I'm not sure how I'm supposed to add the decimal into it.

0 Karma
Highlighted

Re: How to add a decimal to an extracted value (order value recorded as int in logs)

SplunkTrust
SplunkTrust

Curious what happens if you just divide the field by 100.

in props:
EVAL-fcTotal=fcTotal/100

Or inline with the search:
... | eval fcTotal=fcTotal/100

View solution in original post

Highlighted

Re: How to add a decimal to an extracted value (order value recorded as int in logs)

Path Finder

yeah that moves the decimal, but i figured the safer thing to do is change the field so that users don't need to remember to always divide by 100 when using it.

I tried out the inline example, I'm not familiar with "props"

0 Karma
Highlighted

Re: How to add a decimal to an extracted value (order value recorded as int in logs)

SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

props.conf in short needs to be placed in the SPLUNKHOME/etc/apps/appName/local folder where appName is the splunk application your users will be searching in. To make it apply to all apps, put it in SPLUNKHOME/etc/system/local instead.

Your props.conf will look like this:

[sourceTypeName]
EXTRACT-fcTotal = {regex to extract fcTotal}
EVAL-fcTotal = fcTotal/100

where sourceTypeName = name of the sourcetype associated with the events/data

The props.conf approach will always extract the field as such.

0 Karma
Highlighted

Re: How to add a decimal to an extracted value (order value recorded as int in logs)

Path Finder

hmm..... ok i guess i need to talk to my sys people about that.

For now the eval function will work. Thanks.

0 Karma
Highlighted

Re: How to add a decimal to an extracted value (order value recorded as int in logs)

SplunkTrust
SplunkTrust

Alternatively you can do this in the GUI too:

settings -> fields -> calculated fields (to create the /100 eval)
settings -> fields -> field extractions (to create the extraction)

http://localhost:8000/en-US/manager/launcher/data/props/calcfields
http://localhost:8000/en-US/manager/launcher/data/props/extractions

0 Karma
Highlighted

Re: How to add a decimal to an extracted value (order value recorded as int in logs)

Path Finder

I was looking at the calc fields documentation to see if i could do this there. Glad to know that's an option.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.