Splunk Search

Append string to results in table (chart)

ateterine
Path Finder

Hi,

I am working on advanced HTML dashboards and trying to display data from a search in this way:

123 Apples
34 Pears
278 Oranges

This is my search

products=fruits |  eval fruitName=if(fruit_number="01","Apples",if(fruit_number ="02","Pears",if(fruit_number ="03","Oranges",NULL))) | chart dc(sales) by fruit_number

Which gives me

123
34
278

How do I append those fuits names to results?

Thanks!

Tags (2)
1 Solution

lguinn2
Legend

Okay, try this then

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| table sales fruitName

OR

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result

View solution in original post

lguinn2
Legend

Okay, try this then

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| table sales fruitName

OR

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result

ateterine
Path Finder

Never mind @Anonymous, right after I posted that comment I tried couple of things and made it work.

products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruit_number fruitName
| eval result = tostring(sales) + " My Custom String " + fruitName
| table result | fields - fruit_number fruitName

Thank you!

ateterine
Path Finder

Thank you @lguinn, it is sure getting closer. One thing though, I need to sort results by fruitNumber while showing fruitName in results

0 Karma

lguinn2
Legend

You could do this

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| chart dc(sales) by fruitName

OR

products=fruits 
|  eval fruitName= tostring(fruit_number) + " " + case(fruit_number="01","Apples",
                   fruit_number ="02","Pears",
                   fruit_number ="03","Oranges",
                   1==1,null()) 
| chart dc(sales) by fruitName

I used the case function instead of the if function because I like it better, but your if function is fine as well.

ateterine
Path Finder

Maybe I didn't explain it clear. Say my output should be:

123-This many Apples
34-This many Pears
278-This many Oranges

As I mentioned it is for HTML dashboard, so when joining the values I need special characters for later formatting.

Thank you

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...