Splunk Enterprise Security

How to replace High number Digits with a letter?

omri_p
Engager

I have created several dashboards containing high numbers (millions or thousands)
in the dashboard i would like the results to show only the 1 - 2 digits and replace the rest with a dedicated letter (the same as at the glass table)
example:
the dashboard displays a refreshing result of 3,000,000 Millions events ----> i want to display 3M
13,000,000 Millions events ----> i want to display 13M
and the same if the results changes to thonsands

thanks

Labels (1)
0 Karma

@omri_p in Splunk Enterprise 7.x has axis abbreviation available which when set to auto, results in closest SI prefix. Refer to documentation:https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#Area.2C_Bubble.2...

charting.axisX.abbreviation 
charting.axisY.abbreviation
charting.axisY2.abbreviation 

PS: charting.axisY2.abbreviation is not supported for bubble and scatter charts.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@omri_p ,

Try using case,

| eval formatted_number=case(number>=1000000,round(number/1000000,1),number>=1000000,round(number/100000,1))
| eval unit=case(floor(number/1000000) > 1,"M",floor(number/100000) >1,"K")
| eval number=formatted_number.unit
| fields number

where number is your value field. You may extend the case conditions to cover all possible values

Happy Splunking!

mihir_hardas
Explorer

We need a sophisticated function, convert numeric function that will take care of such conversion of large number in millions, billions as 1.20M , 0.8B

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...