Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add commas into a number and make the final...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
07:49 AM
hi there, I need to add decimal comma separation for a long number such as 2546788 that is, 2,546,788
Then I need to concatenate a string such as " JAN" + "2,546,788" in the final results. Here is my code.
I just need to add the commas:
source=*DT* index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| fieldformat amount= "$" + tostring(Ads, "commas") <=== this is not working
| eval results = previous_month + ": " + Ads
| table results amount
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
02-26-2020
03:20 PM
eval amount= "$" + tostring(amount, "commas")
ty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
08:45 AM
oh crap and I thought I had tried that...guess not. Thanks bud
Get Updates on the Splunk Community!
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
