Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I format the output

JohnB
Explorer
‎08-26-2010 12:55 PM

on a chart or timechart? I want to have the output be in currency format. I can use the eval and tostring() for a cludge, but is there a better way?

Tags (1)
Reply

si_rbrisita
Engager
‎01-21-2016 12:58 PM

For anyone looking to format using integers:

stat_name=sales | timechart sum(total_price) AS total | eval cents = substr(total, -2) | eval dollars = substr(total, 1, len(total) - 2) | eval Revenue = "$" + tostring(dollars, "commas") + "." + cents
0 Karma
Reply

msmapper
Path Finder
‎03-26-2014 02:50 PM

The best option would be to use | fieldformat amount= "$" + tostring(amount, "commas"). Using fieldformat vs. eval keeps the data numeric, whereas email considers the data to be a string.

Reply

nawneel
Communicator
‎04-27-2015 10:49 PM

correction to above its not email but eval , i guess that is a typo

0 Karma
Reply

wagnerbianchi
Splunk Employee
Splunk Employee
‎11-11-2012 07:34 AM

Just adding my 2 cents with a practical example, here I go:

index="idx_apache" action=purchase | stats count by product_name, price | eval total=(price*count) | eval PreçoUnit="U$ ". tostring(price,"commas") | eval TotalFinal="U$ ". tostring(total,"commas") | rename count -> QtdVendido | sort -total | fields - price, total

This query will retrieve information about the purchased products based on Apache access logs.

Cheers!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-27-2010 04:42 AM

There is unfortunately not a better way currently. It would be nice to have the charts and tables able to render numbers without changing the underlying data as eval() does (for example, sorting columns of numbers and timestamps doesn't work right when they've been converted to strings for display formatting, and automatic drilldown won't work with such post-reporting conversions on charts).

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-26-2010 04:11 PM

Using eval is the best way to solve this problem.

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-27-2010 01:48 PM

What is the exact string that tostring(X, "commas") is failing on? I've tried this (limited) example successfully: | stats count | eval count =123456789.12345 | eval count = "$" . tostring(count, "commas"). I'll file a bug on your behalf if you help me reproduce.

0 Karma
Reply

JohnB
Explorer
‎08-27-2010 12:25 PM

I used eval X="$" . tostring(X,"commas")
to format, however, there is a bug in tostring(X,"commas") it's supposed to be in comma & 2 decimal places format, but alas, it's not. It's a wonder why I keep telling Godfrey QA needs to be better?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...