I've got a search like this against a collection of Web logs:
sourcetype="access_common" | ctable uri_path host
The result is a ctable with URLs down the left, a count column for each of our servers and a grand total column on the right.
How can you format the numbers that are in the cdata cells? (I've been having similar problems with summarizing over table results and xyseries results.) This fieldFormat statement does correctly format the grand total column:
sourcetype="access_common" | ctable uri_path host | fieldFormat TOTAL=tostring(TOTAL,"commas")
So far, I haven't figured out how to address the columns for each specific host. If I use the column name that Splunk produces, no error is generated but there's also no data. I'm guessing that the problem is that I don't know what the correct identifier for the column(s) that I'd like to format. Within the result data, I can see that there are definitions with "tag" elements for the various columns - but these ID values (c='6474' or c='327', etc.) are not stable. Each time you run the search, the IDs are generated from scratch.
Is there a way to address the generated columns in a ctable? For that matter, is there something that works with other, related sorts of extractions like xyseries?
Thanks a lot.
