- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I prevent losing the nice formatting of fie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I prevent losing the nice formatting of fieldformat after adding xyseries to my stats search?
I have a stats command that correctly formats the count field.
stats count by method client | fieldformat count=tostring(count,"commas")
However, when I add | xyseries method client count, I lose the nice formatting. I try to rearrange the fieldformat clause to the end, but that didn't help. I get no formatting at all with the numbers. I might as well just use chart count over. The reason I use stats with xyseries is that I thought I can format the numbers this way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi wang,
If i understand your problem, you lost the nice formating of count when you add | xyseries method client count , I try to test it with my search like this index=_internal | stats count by group sourcetype |fieldformat count=tostring(count,"commas") | xyseries group sourcetype count ,i lost also the nice formating, but i rearrange it with query like follow because fieldformat command don't allow to keep the formating, try to run it:
This is work very well!
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Close but not quite. Adding eval fixed the formatting but sorting now sorts count as strings, not numeric values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am working on it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi wang,
I try to sort count in ascending order after converting count as strings with
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count
or sort count by lexigraphically order with
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count) , This both query work fine!
But when i apply xyseries command in this both query, the , the results not change; The results is the same like query that follow:
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count| xyseries group sourcetype count
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count)| xyseries group sourcetype count
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count |sort + count
index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype counter |sort + str count
Please, Don't forget to vote me if my first answer satisfy you!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
