Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to add commas into a number and make the f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
07:49 AM
hi there, I need to add decimal comma separation for a long number such as 2546788 that is, 2,546,788
Then I need to concatenate a string such as " JAN" + "2,546,788" in the final results. Here is my code.
I just need to add the commas:
source=*DT* index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| fieldformat amount= "$" + tostring(Ads, "commas") <=== this is not working
| eval results = previous_month + ": " + Ads
| table results amount
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-03-2017
07:57 AM
You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.
source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon
| convert rmcomma("duration")
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")
| eventstats sum("duration") as Ads
| eval amount= "$" + tostring(Ads, "commas") | eval results = previous_month + ": " + Ads
| table results amount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
02-26-2020
03:20 PM
eval amount= "$" + tostring(amount, "commas")
ty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
02-03-2017
08:45 AM
oh crap and I thought I had tried that...guess not. Thanks bud
Get Updates on the Splunk Community!
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
September Community Champions: A Shoutout to Our Contributors!
As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
