Splunk Search

Splunk query to add commas on calculated fields by date

Mathanjey
Explorer

Can you help suggesting options to add commas to the calculated fields

Example : chart count as TotalCnt, people OVER Date BY name

I wanted to display something that will show the count of number separated by comma's (thousand)

Tags (1)
0 Karma

gokadroid
Motivator

If all you are doing is add commas to the existing field then try fieldformat rather than eval which will preserve the format in case the sorting might be needed on the field later on.
So eval command | eval TotalCnt =tostring(TotalCnt, "commas")
changes to | fieldformat TotalCnt =tostring(TotalCnt, "commas")

0 Karma

Mathanjey
Explorer

Thanks the eval TotalCnt =tostring(TotalCnt, "commas") didn't work for me, also i tried fieldformat MsgCnt=tostring(MsgCnt,"commas") which didn't work. I believe OVER Date BY may be a stopping factor.

0 Karma

MonkeyK
Builder

You are right. I'm sorry, I don't know the answer to this. I found some similar questions from years ago that never found a way to get it done.

0 Karma

MonkeyK
Builder

try

chart count as TotalCnt, people OVER Date BY name | eval TotalCnt =tostring(TotalCnt, "commas")

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...