Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

auto increment on query

taha13
Explorer
‎06-01-2018 03:45 AM

Hello,

I'am writing a query to retrieve comments of my clients
This is my query

| eval q_commentaireSupplementaire= "Comm:".q_commentaireSupplementaire

my result :

alt text

What i want is to have an auto increment =>

Comm 1:**** de *** est un personne fortement recommandable et serviable.** ****.
Comm 2:C'est très pratique , surtout quand on ne peut pas joindre notre conseiller dans l'agence
Comm 3:C'est une très bonne initiative, ce qui permet d'avoir rapidement une réponse. Je suis satisfait

Tags (2)
Preview file
13 KB
0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-01-2018 06:32 AM

Try this:

... | streamstats count as row |  eval q_commentaireSupplementaire= "Comm " . row . ":" . q_commentaireSupplementaire
0 Karma
Reply

taha13
Explorer
‎06-01-2018 06:46 AM

i add the count ,and then the counter ,i still have a prolem with sorting

Comm 11:...
Comm 1:...
Comm 15:...
I used aldo sort desc and asc ,but doesnt work too

0 Karma
Reply

niketn
Legend
‎06-01-2018 07:08 AM

@taha13, add printf() function after streamstats to pad zeros to row count values as sorting is considering the Column as string. The following pads upto three zeros i.e. can sort up to 999 comments.

|  streamstats count as row 
|  eval sno=printf("%03d",row)

Also make sure that the field is not multivalue rather it is single value. You can share your current query if this does not help.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

taha13
Explorer
‎06-01-2018 07:24 AM

@niketnilay
Error in 'eval' command: The 'printf' function is unsupported or undefined.

0 Karma
Reply

taha13
Explorer
‎06-01-2018 07:36 AM 
        | streamstats count as row
        | eval sno =printf("%03d",row)
        | eval q_commentaireSupplementaire= "Comm ".sno.": ".q_commentaireSupplementaire
        | stats VALUES(q_commentaireSupplementaire) AS Commentaire BY qa_noteSatisfaction 
        | sort qa_noteSatisfaction desc
        | rename qa_noteSatisfaction AS Note_Satisfaction
0 Karma
Reply

niketn
Legend
‎06-01-2018 07:52 AM

@taha, which version of Splunk are you on?

instead of printf() use the following eval with case()

|  eval sno=case(len(sno)=1,"00".sno,len(sno)=2,"0".sno,true(),sno)

Also, just to be sure of what your data looks like, I was interested in transforming command before streamstats, that you have posted. Post that piece of search if above eval with case() does not work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...