Splunk Search

How to add commas into a number and make the final result a string?

maximusdm
Communicator

hi there, I need to add decimal comma separation for a long number such as 2546788 that is, 2,546,788
Then I need to concatenate a string such as " JAN" + "2,546,788" in the final results. Here is my code.
I just need to add the commas:

source=*DT* index=freewheel sourcetype=delta   earliest=-1mon@mon latest=@mon    
| convert rmcomma("duration")         
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b")       
| eventstats sum("duration") as Ads 
| fieldformat amount= "$" + tostring(Ads, "commas") <=== this is not working
| eval results = previous_month + ": " + Ads 
| table results amount

Thank you

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.

source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon 
| convert rmcomma("duration") 
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b") 
| eventstats sum("duration") as Ads 
| eval amount= "$" + tostring(Ads, "commas")     | eval results = previous_month + ": " + Ads 
| table results amount

View solution in original post

somesoni2
Revered Legend

You are using command fieldformat, which just updates the display format of the value but not the underlying value. You should use EVAL instead.

source=DT index=freewheel sourcetype=delta earliest=-1mon@mon latest=@mon 
| convert rmcomma("duration") 
| eval previous_month = strftime(relative_time(now(), "-1mon"), "%b") 
| eventstats sum("duration") as Ads 
| eval amount= "$" + tostring(Ads, "commas")     | eval results = previous_month + ": " + Ads 
| table results amount

nick405060
Motivator

eval amount= "$" + tostring(amount, "commas")

ty

0 Karma

maximusdm
Communicator

oh crap and I thought I had tried that...guess not. Thanks bud

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...