Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add commas into a number and make the final...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
07:49 AM
hi there, I need to add decimal comma separation for a long number such as 2546788 that is, 2,546,788
Then I need to concatenate a string such as " JAN" + "2,546,788" in the final results. Here is my code.
I just need to add the commas:
source=*DT* index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| fieldformat amount= "$" + tostring(Ads, "commas") <=== this is not working
| eval results = previous_month + ": " + Ads
| table results amount
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
02-26-2020
03:20 PM
eval amount= "$" + tostring(amount, "commas")
ty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
08:45 AM
oh crap and I thought I had tried that...guess not. Thanks bud
Get Updates on the Splunk Community!
Buttercup Games Tutorial Extension - part 9
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games Tutorial Extension - part 8
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Introducing the Splunk Developer Program!
Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
