Splunk query to add commas on calculated fields by...

Mathanjey · ‎01-05-2017

Can you help suggesting options to add commas to the calculated fields

Example : chart count as TotalCnt, people OVER Date BY name

I wanted to display something that will show the count of number separated by comma's (thousand)

gokadroid · ‎01-05-2017

If all you are doing is add commas to the existing field then try fieldformat rather than eval which will preserve the format in case the sorting might be needed on the field later on.
So eval command | eval TotalCnt =tostring(TotalCnt, "commas")
changes to | fieldformat TotalCnt =tostring(TotalCnt, "commas")

Mathanjey · ‎01-05-2017

Thanks the eval TotalCnt =tostring(TotalCnt, "commas") didn't work for me, also i tried fieldformat MsgCnt=tostring(MsgCnt,"commas") which didn't work. I believe OVER Date BY may be a stopping factor.

MonkeyK · ‎01-05-2017

You are right. I'm sorry, I don't know the answer to this. I found some similar questions from years ago that never found a way to get it done.

MonkeyK · ‎01-05-2017

try

chart count as TotalCnt, people OVER Date BY name | eval TotalCnt =tostring(TotalCnt, "commas")

Splunk query to add commas on calculated fields by date

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms