Splunk Search

How do I format the output

JohnB
Explorer

on a chart or timechart? I want to have the output be in currency format. I can use the eval and tostring() for a cludge, but is there a better way?

Tags (1)

si_rbrisita
Engager

For anyone looking to format using integers:

stat_name=sales | timechart sum(total_price) AS total | eval cents = substr(total, -2) | eval dollars = substr(total, 1, len(total) - 2) | eval Revenue = "$" + tostring(dollars, "commas") + "." + cents
0 Karma

msmapper
Path Finder

The best option would be to use | fieldformat amount= "$" + tostring(amount, "commas"). Using fieldformat vs. eval keeps the data numeric, whereas email considers the data to be a string.

nawneel
Communicator

correction to above its not email but eval , i guess that is a typo

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

Just adding my 2 cents with a practical example, here I go:

index="idx_apache" action=purchase | stats count by product_name, price | eval total=(price*count) | eval PreçoUnit="U$ ". tostring(price,"commas") | eval TotalFinal="U$ ". tostring(total,"commas") | rename count -> QtdVendido | sort -total | fields - price, total

This query will retrieve information about the purchased products based on Apache access logs.

Cheers!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

There is unfortunately not a better way currently. It would be nice to have the charts and tables able to render numbers without changing the underlying data as eval() does (for example, sorting columns of numbers and timestamps doesn't work right when they've been converted to strings for display formatting, and automatic drilldown won't work with such post-reporting conversions on charts).

Stephen_Sorkin
Splunk Employee
Splunk Employee

Using eval is the best way to solve this problem.

Stephen_Sorkin
Splunk Employee
Splunk Employee

What is the exact string that tostring(X, "commas") is failing on? I've tried this (limited) example successfully: | stats count | eval count =123456789.12345 | eval count = "$" . tostring(count, "commas"). I'll file a bug on your behalf if you help me reproduce.

0 Karma

JohnB
Explorer

I used eval X="$" . tostring(X,"commas")
to format, however, there is a bug in tostring(X,"commas") it's supposed to be in comma & 2 decimal places format, but alas, it's not. It's a wonder why I keep telling Godfrey QA needs to be better?

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...