Splunk Search

How do I format the output

Explorer

on a chart or timechart? I want to have the output be in currency format. I can use the eval and tostring() for a cludge, but is there a better way?

Tags (1)

Engager

For anyone looking to format using integers:

stat_name=sales | timechart sum(total_price) AS total | eval cents = substr(total, -2) | eval dollars = substr(total, 1, len(total) - 2) | eval Revenue = "$" + tostring(dollars, "commas") + "." + cents
0 Karma

Path Finder

The best option would be to use | fieldformat amount= "$" + tostring(amount, "commas"). Using fieldformat vs. eval keeps the data numeric, whereas email considers the data to be a string.

Communicator

correction to above its not email but eval , i guess that is a typo

0 Karma

Splunk Employee
Splunk Employee

Just adding my 2 cents with a practical example, here I go:

index="idx_apache" action=purchase | stats count by product_name, price | eval total=(price*count) | eval PreçoUnit="U$ ". tostring(price,"commas") | eval TotalFinal="U$ ". tostring(total,"commas") | rename count -> QtdVendido | sort -total | fields - price, total

This query will retrieve information about the purchased products based on Apache access logs.

Cheers!

0 Karma

Splunk Employee
Splunk Employee

There is unfortunately not a better way currently. It would be nice to have the charts and tables able to render numbers without changing the underlying data as eval() does (for example, sorting columns of numbers and timestamps doesn't work right when they've been converted to strings for display formatting, and automatic drilldown won't work with such post-reporting conversions on charts).

Splunk Employee
Splunk Employee

Using eval is the best way to solve this problem.

Splunk Employee
Splunk Employee

What is the exact string that tostring(X, "commas") is failing on? I've tried this (limited) example successfully: | stats count | eval count =123456789.12345 | eval count = "$" . tostring(count, "commas"). I'll file a bug on your behalf if you help me reproduce.

0 Karma

Explorer

I used eval X="$" . tostring(X,"commas")
to format, however, there is a bug in tostring(X,"commas") it's supposed to be in comma & 2 decimal places format, but alas, it's not. It's a wonder why I keep telling Godfrey QA needs to be better?

0 Karma