Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I prevent losing the nice formatting of fieldformat after adding xyseries to my stats search?

wang
Path Finder
‎04-07-2015 10:41 PM

I have a stats command that correctly formats the count field.

stats count by method client  | fieldformat count=tostring(count,"commas")

However, when I add | xyseries method client count, I lose the nice formatting. I try to rearrange the fieldformat clause to the end, but that didn't help. I get no formatting at all with the numbers. I might as well just use chart count over. The reason I use stats with xyseries is that I thought I can format the numbers this way.

Reply

ngatchasandra
Builder
‎04-08-2015 01:47 AM

Hi wang,
If i understand your problem, you lost the nice formating of count when you add | xyseries method client count , I try to test it with my search like this index=_internal | stats count by group sourcetype |fieldformat count=tostring(count,"commas") | xyseries group sourcetype count ,i lost also the nice formating, but i rearrange it with query like follow because fieldformat command don't allow to keep the formating, try to run it:

This is work very well!

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas")  | xyseries group sourcetype count
0 Karma
Reply

wang
Path Finder
‎04-08-2015 09:47 AM

Close but not quite. Adding eval fixed the formatting but sorting now sorts count as strings, not numeric values.

0 Karma
Reply

ngatchasandra
Builder
‎04-08-2015 11:14 AM

I am working on it!

0 Karma
Reply

ngatchasandra
Builder
‎04-11-2015 09:19 AM

Hi wang,
I try to sort count in ascending order after converting count as strings with

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count

or sort count by lexigraphically order with

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count) , This both query work fine!

But when i apply xyseries command in this both query, the , the results not change; The results is the same like query that follow:

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count| xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count)| xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count |sort + count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype counter |sort + str count

Please, Don't forget to vote me if my first answer satisfy you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...