Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I prevent losing the nice formatting of fieldformat after adding xyseries to my stats search?

wang
Path Finder
‎04-07-2015 10:41 PM

I have a stats command that correctly formats the count field.

stats count by method client  | fieldformat count=tostring(count,"commas")

However, when I add | xyseries method client count, I lose the nice formatting. I try to rearrange the fieldformat clause to the end, but that didn't help. I get no formatting at all with the numbers. I might as well just use chart count over. The reason I use stats with xyseries is that I thought I can format the numbers this way.

Reply

ngatchasandra
Builder
‎04-08-2015 01:47 AM

Hi wang,
If i understand your problem, you lost the nice formating of count when you add | xyseries method client count , I try to test it with my search like this index=_internal | stats count by group sourcetype |fieldformat count=tostring(count,"commas") | xyseries group sourcetype count ,i lost also the nice formating, but i rearrange it with query like follow because fieldformat command don't allow to keep the formating, try to run it:

This is work very well!

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas")  | xyseries group sourcetype count
0 Karma
Reply

wang
Path Finder
‎04-08-2015 09:47 AM

Close but not quite. Adding eval fixed the formatting but sorting now sorts count as strings, not numeric values.

0 Karma
Reply

ngatchasandra
Builder
‎04-08-2015 11:14 AM

I am working on it!

0 Karma
Reply

ngatchasandra
Builder
‎04-11-2015 09:19 AM

Hi wang,
I try to sort count in ascending order after converting count as strings with

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count

or sort count by lexigraphically order with

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count) , This both query work fine!

But when i apply xyseries command in this both query, the , the results not change; The results is the same like query that follow:

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count| xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count)| xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count |sort + count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype counter |sort + str count

Please, Don't forget to vote me if my first answer satisfy you!

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...