I'm using the following search
index="summary_collaboration" source="Inbound Messages Accepted & Delivered" OR source="Inbound Messages Refused" | bucket span=1d _time | eval formatted_time=strftime(_time, "%x") | chart count as messages over source by formatted_time | addtotals fieldname="7 Day Total" col=true label="Daily Total" labelfield=source
to get back data about mail messages. Since we handle a lot I'd like to put some separators in to the numbers. I've tried adding the line
| eval messages=tostring(messages,"commas")
chart command and after the
addtotals command but neither changes the format of the numbers. However, and this is the tricky bit, if I remove the
by formatted_time portion of the chart command the commas appear, if I add it back they go away.
What am I doing wrong?
Instead of eval, try fieldformat, maybe like this
| eval formatted_time=_time | fieldformat formatted_time=strftime(formatted_time, "%x")
| fieldformat messages=tostring(messages,"commas")
eval changes the fieldtype from numeric to string. fieldformat changes the visual representation, but the underlying value remains numeric.
I tried this and it works just fine:
index=internal persourcetype_thruput host=splunkindexer * | timechart span=1d sum(kb) as TotalBytesIndexed | fieldformat TotalBytesIndexedHuman=tostring(TotalBytesIndexed,"commas")
Does anyone knows why the fieldformat is not working on chart/stats command?
For instance, when trying to change the tooltip format to show value numbers with commas, doing a search like that, doesn't work:
chart sum(RECORD_VALUE) AS Summary by name|fieldformat Summary=tostring(Summary,"commas")
fieldformat I still get the same behavior and again if I remove the
by clause from the chart command I get the commas. I've also tried this with
timechart and I see the same behavior.
This is all coming from a summary index where I've been using
sitop to populate the index. Could that make a difference?