yeah that moves the decimal, but i figured the safer thing to do is change the field so that users don't need to remember to always divide by 100 when using it.

I tried out the inline example, I'm not familiar with "props"

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

props.conf in short needs to be placed in the SPLUNK_HOME/etc/apps/appName/local folder where appName is the splunk application your users will be searching in. To make it apply to all apps, put it in SPLUNK_HOME/etc/system/local instead.

Your props.conf will look like this:

[sourceTypeName]
EXTRACT-fcTotal = {regex to extract fcTotal}
EVAL-fcTotal = fcTotal/100

where sourceTypeName = name of the sourcetype associated with the events/data

The props.conf approach will always extract the field as such.

hmm..... ok i guess i need to talk to my sys people about that.

For now the eval function will work. Thanks.

Alternatively you can do this in the GUI too:

settings -> fields -> calculated fields (to create the /100 eval)
settings -> fields -> field extractions (to create the extraction)

http://localhost:8000/en-US/manager/launcher/data/props/calcfields
http://localhost:8000/en-US/manager/launcher/data/props/extractions

I was looking at the calc fields documentation to see if i could do this there. Glad to know that's an option.