Splunk Search

auto increment on query

taha13
Explorer

Hello,

I'am writing a query to retrieve comments of my clients
This is my query

| eval q_commentaireSupplementaire= "Comm:".q_commentaireSupplementaire

my result :

alt text

What i want is to have an auto increment =>

Comm 1:**** de *** est un personne fortement recommandable et serviable.** ****.
Comm 2:C'est très pratique , surtout quand on ne peut pas joindre notre conseiller dans l'agence
Comm 3:C'est une très bonne initiative, ce qui permet d'avoir rapidement une réponse. Je suis satisfait

Tags (2)
0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Try this:

... | streamstats count as row |  eval q_commentaireSupplementaire= "Comm " . row . ":" . q_commentaireSupplementaire
0 Karma

taha13
Explorer

i add the count ,and then the counter ,i still have a prolem with sorting

Comm 11:...
Comm 1:...
Comm 15:...
I used aldo sort desc and asc ,but doesnt work too

0 Karma

niketnilay
Legend

@taha13, add printf() function after streamstats to pad zeros to row count values as sorting is considering the Column as string. The following pads upto three zeros i.e. can sort up to 999 comments.

|  streamstats count as row 
|  eval sno=printf("%03d",row)

Also make sure that the field is not multivalue rather it is single value. You can share your current query if this does not help.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

taha13
Explorer

@niketnilay
Error in 'eval' command: The 'printf' function is unsupported or undefined.

0 Karma

taha13
Explorer
        | streamstats count as row
        | eval sno =printf("%03d",row)
        | eval q_commentaireSupplementaire= "Comm ".sno.": ".q_commentaireSupplementaire
        | stats VALUES(q_commentaireSupplementaire) AS Commentaire BY qa_noteSatisfaction 
        | sort qa_noteSatisfaction desc
        | rename qa_noteSatisfaction AS Note_Satisfaction
0 Karma

niketnilay
Legend

@taha, which version of Splunk are you on?

instead of printf() use the following eval with case()

|  eval sno=case(len(sno)=1,"00".sno,len(sno)=2,"0".sno,true(),sno)

Also, just to be sure of what your data looks like, I was interested in transforming command before streamstats, that you have posted. Post that piece of search if above eval with case() does not work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>