Howdy all,
I'm using the following search
index="summary_collaboration"
source="Inbound Messages Accepted & Delivered"
OR source="Inbound Messages Refused"
| bucket span=1d _time
| eval formatted_time=strftime(_time, "%x")
| chart count as messages over source by formatted_time
| addtotals fieldname="7 Day Total" col=true label="Daily Total" labelfield=source
to get back data about mail messages. Since we handle a lot I'd like to put some separators in to the numbers. I've tried adding the line
| eval messages=tostring(messages,"commas")
after the chart
command and after the addtotals
command but neither changes the format of the numbers. However, and this is the tricky bit, if I remove the by formatted_time
portion of the chart command the commas appear, if I add it back they go away.
What am I doing wrong?
Instead of eval, try fieldformat, maybe like this
| eval formatted_time=_time | fieldformat formatted_time=strftime(formatted_time, "%x")
and/or
| fieldformat messages=tostring(messages,"commas")
eval changes the fieldtype from numeric to string. fieldformat changes the visual representation, but the underlying value remains numeric.
Is there a way to "fieldformat" 'commas' in UK format (##,##,###) instead of US format (###,###,###)?
I tried this and it works just fine:
index=_internal per_sourcetype_thruput host=splunkindexer * | timechart span=1d sum(kb) as TotalBytesIndexed | fieldformat TotalBytesIndexedHuman=tostring(TotalBytesIndexed,"commas")
Does anyone knows why the fieldformat is not working on chart/stats command?
For instance, when trying to change the tooltip format to show value numbers with commas, doing a search like that, doesn't work:
chart sum(RECORD_VALUE) AS Summary by name|fieldformat Summary=tostring(Summary,"commas")
Even with fieldformat
I still get the same behavior and again if I remove the by
clause from the chart command I get the commas. I've also tried this with timechart
and I see the same behavior.
This is all coming from a summary index where I've been using sistats
and sitop
to populate the index. Could that make a difference?