Formatting lost using fieldformat when alerting vi...

Lowell · ‎03-13-2012

I have an alert that uses the fieldformat command to format several fields. The fields show up as desired when viewed interactively (using the Splunk web interface), but when sent via email I see the original values, as if the fieldformat is being ignored.

My format_kb_human macro reformats a field (provided in KB) into a more human readable MB/GB value. I updated this macro from using eval in Splunk 4.1 to use fieldformat in Splunk 4.2. This allows proper sorting using splunk web while showing human readable numbers.

[format_kb_human(1)]
args = field
definition = fieldformat $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0

Do I have any options other than switching back to eval? I'd rather not have two different macros for the same thing, one using eval and the other using fieldformat.

dart · ‎02-27-2015

Your only option is to use eval, but there is a neat trick we can use to make it a little less painful.

[format_kb_human(1)]
 args = field
 definition = `format_kb_human($field$,"fieldformat")`
 iseval = 0

[format_kb_human(2)]
 args = field, command
 definition = `command` $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
 iseval = 0

Then you can replace it in your alert search string with the 2nd parameter being "eval".

Formatting lost using fieldformat when alerting via email

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases