Splunk Search

Append string to results in table (chart)

ateterine
Path Finder

Hi,

I am working on advanced HTML dashboards and trying to display data from a search in this way:

123 Apples
34 Pears
278 Oranges

This is my search

products=fruits |  eval fruitName=if(fruit_number="01","Apples",if(fruit_number ="02","Pears",if(fruit_number ="03","Oranges",NULL))) | chart dc(sales) by fruit_number

Which gives me

123
34
278

How do I append those fuits names to results?

Thanks!

Tags (2)
1 Solution

lguinn2
Legend

Okay, try this then

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| table sales fruitName

OR

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result

View solution in original post

lguinn2
Legend

Okay, try this then

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| table sales fruitName

OR

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result

ateterine
Path Finder

Never mind @lguinn, right after I posted that comment I tried couple of things and made it work.

products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruit_number fruitName
| eval result = tostring(sales) + " My Custom String " + fruitName
| table result | fields - fruit_number fruitName

Thank you!

ateterine
Path Finder

Thank you @lguinn, it is sure getting closer. One thing though, I need to sort results by fruitNumber while showing fruitName in results

0 Karma

lguinn2
Legend

You could do this

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| chart dc(sales) by fruitName

OR

products=fruits 
|  eval fruitName= tostring(fruit_number) + " " + case(fruit_number="01","Apples",
                   fruit_number ="02","Pears",
                   fruit_number ="03","Oranges",
                   1==1,null()) 
| chart dc(sales) by fruitName

I used the case function instead of the if function because I like it better, but your if function is fine as well.

ateterine
Path Finder

Maybe I didn't explain it clear. Say my output should be:

123-This many Apples
34-This many Pears
278-This many Oranges

As I mentioned it is for HTML dashboard, so when joining the values I need special characters for later formatting.

Thank you

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...