Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add commas into a number and make the final...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
07:49 AM
hi there, I need to add decimal comma separation for a long number such as 2546788 that is, 2,546,788
Then I need to concatenate a string such as " JAN" + "2,546,788" in the final results. Here is my code.
I just need to add the commas:
source=*DT* index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| fieldformat amount= "$" + tostring(Ads, "commas") <=== this is not working
| eval results = previous_month + ": " + Ads
| table results amount
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
02-26-2020
03:20 PM
eval amount= "$" + tostring(amount, "commas")
ty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
08:45 AM
oh crap and I thought I had tried that...guess not. Thanks bud
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
