Splunk Search

Formatting lost using fieldformat when alerting via email

Lowell
Super Champion

I have an alert that uses the fieldformat command to format several fields. The fields show up as desired when viewed interactively (using the Splunk web interface), but when sent via email I see the original values, as if the fieldformat is being ignored.

My format_kb_human macro reformats a field (provided in KB) into a more human readable MB/GB value. I updated this macro from using eval in Splunk 4.1 to use fieldformat in Splunk 4.2. This allows proper sorting using splunk web while showing human readable numbers.

[format_kb_human(1)]
args = field
definition = fieldformat $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0

Do I have any options other than switching back to eval? I'd rather not have two different macros for the same thing, one using eval and the other using fieldformat.

dart
Splunk Employee
Splunk Employee

Your only option is to use eval, but there is a neat trick we can use to make it a little less painful.

[format_kb_human(1)]
 args = field
 definition = `format_kb_human($field$,"fieldformat")`
 iseval = 0

[format_kb_human(2)]
 args = field, command
 definition = `command` $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2),  abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
 iseval = 0

Then you can replace it in your alert search string with the 2nd parameter being "eval".

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...