Splunk Search

adding commas to numbers, chart+by breaks it.

Path Finder

Howdy all,

I'm using the following search

index="summary_collaboration" 
source="Inbound Messages Accepted & Delivered" 
OR source="Inbound Messages Refused" 
| bucket span=1d _time 
| eval formatted_time=strftime(_time, "%x")
| chart count as messages over source by formatted_time
| addtotals fieldname="7 Day Total" col=true label="Daily Total" labelfield=source

to get back data about mail messages. Since we handle a lot I'd like to put some separators in to the numbers. I've tried adding the line

| eval messages=tostring(messages,"commas")

after the chart command and after the addtotals command but neither changes the format of the numbers. However, and this is the tricky bit, if I remove the by formatted_time portion of the chart command the commas appear, if I add it back they go away.

What am I doing wrong?

0 Karma

Legend

Instead of eval, try fieldformat, maybe like this

| eval formatted_time=_time | fieldformat formatted_time=strftime(formatted_time, "%x")

and/or

| fieldformat messages=tostring(messages,"commas")

eval changes the fieldtype from numeric to string. fieldformat changes the visual representation, but the underlying value remains numeric.

0 Karma

Contributor

Is there a way to "fieldformat" 'commas' in UK format (##,##,###) instead of US format (###,###,###)?

0 Karma

Contributor

I tried this and it works just fine:
index=internal persourcetype_thruput host=splunkindexer * | timechart span=1d sum(kb) as TotalBytesIndexed | fieldformat TotalBytesIndexedHuman=tostring(TotalBytesIndexed,"commas")

0 Karma

Explorer

Does anyone knows why the fieldformat is not working on chart/stats command?
For instance, when trying to change the tooltip format to show value numbers with commas, doing a search like that, doesn't work:
chart sum(RECORD_VALUE) AS Summary by name|fieldformat Summary=tostring(Summary,"commas")

Path Finder

Even with fieldformat I still get the same behavior and again if I remove the by clause from the chart command I get the commas. I've also tried this with timechart and I see the same behavior.

This is all coming from a summary index where I've been using sistats and sitop to populate the index. Could that make a difference?

0 Karma