Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I format the output

JohnB
Explorer
‎08-26-2010 12:55 PM

on a chart or timechart? I want to have the output be in currency format. I can use the eval and tostring() for a cludge, but is there a better way?

Tags (1)
Reply

si_rbrisita
Engager
‎01-21-2016 12:58 PM

For anyone looking to format using integers:

stat_name=sales | timechart sum(total_price) AS total | eval cents = substr(total, -2) | eval dollars = substr(total, 1, len(total) - 2) | eval Revenue = "$" + tostring(dollars, "commas") + "." + cents
0 Karma
Reply

msmapper
Path Finder
‎03-26-2014 02:50 PM

The best option would be to use | fieldformat amount= "$" + tostring(amount, "commas"). Using fieldformat vs. eval keeps the data numeric, whereas email considers the data to be a string.

Reply

nawneel
Communicator
‎04-27-2015 10:49 PM

correction to above its not email but eval , i guess that is a typo

0 Karma
Reply

wagnerbianchi
Splunk Employee
Splunk Employee
‎11-11-2012 07:34 AM

Just adding my 2 cents with a practical example, here I go:

index="idx_apache" action=purchase | stats count by product_name, price | eval total=(price*count) | eval PreçoUnit="U$ ". tostring(price,"commas") | eval TotalFinal="U$ ". tostring(total,"commas") | rename count -> QtdVendido | sort -total | fields - price, total

This query will retrieve information about the purchased products based on Apache access logs.

Cheers!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-27-2010 04:42 AM

There is unfortunately not a better way currently. It would be nice to have the charts and tables able to render numbers without changing the underlying data as eval() does (for example, sorting columns of numbers and timestamps doesn't work right when they've been converted to strings for display formatting, and automatic drilldown won't work with such post-reporting conversions on charts).

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-26-2010 04:11 PM

Using eval is the best way to solve this problem.

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-27-2010 01:48 PM

What is the exact string that tostring(X, "commas") is failing on? I've tried this (limited) example successfully: | stats count | eval count =123456789.12345 | eval count = "$" . tostring(count, "commas"). I'll file a bug on your behalf if you help me reproduce.

0 Karma
Reply

JohnB
Explorer
‎08-27-2010 12:25 PM

I used eval X="$" . tostring(X,"commas")
to format, however, there is a bug in tostring(X,"commas") it's supposed to be in comma & 2 decimal places format, but alas, it's not. It's a wonder why I keep telling Godfrey QA needs to be better?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...