I have an alert that uses the fieldformat
command to format several fields. The fields show up as desired when viewed interactively (using the Splunk web interface), but when sent via email I see the original values, as if the fieldformat
is being ignored.
My format_kb_human
macro reformats a field (provided in KB) into a more human readable MB/GB value. I updated this macro from using eval
in Splunk 4.1 to use fieldformat
in Splunk 4.2. This allows proper sorting using splunk web while showing human readable numbers.
[format_kb_human(1)]
args = field
definition = fieldformat $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2), abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0
Do I have any options other than switching back to eval
? I'd rather not have two different macros for the same thing, one using eval
and the other using fieldformat
.
Your only option is to use eval, but there is a neat trick we can use to make it a little less painful.
[format_kb_human(1)]
args = field
definition = `format_kb_human($field$,"fieldformat")`
iseval = 0
[format_kb_human(2)]
args = field, command
definition = `command` $field$=tostring(case(abs($field$)>=1000000, round($field$/1024/1024,2), abs($field$)>=1000, round($field$/1024,1), NOT isnull($field$), round($field$,1), 0==0, "")) . case(abs($field$)>=1000000,"G", abs($field$)>=1000,"M", NOT isnull($field$), "K", 0==0, "")
iseval = 0
Then you can replace it in your alert search string with the 2nd parameter being "eval".