Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

auto increment on query

taha13
Explorer
‎06-01-2018 03:45 AM

Hello,

I'am writing a query to retrieve comments of my clients
This is my query

| eval q_commentaireSupplementaire= "Comm:".q_commentaireSupplementaire

my result :

alt text

What i want is to have an auto increment =>

Comm 1:**** de *** est un personne fortement recommandable et serviable.** ****.
Comm 2:C'est très pratique , surtout quand on ne peut pas joindre notre conseiller dans l'agence
Comm 3:C'est une très bonne initiative, ce qui permet d'avoir rapidement une réponse. Je suis satisfait

Tags (2)
Preview file
1 KB
0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-01-2018 06:32 AM

Try this:

... | streamstats count as row |  eval q_commentaireSupplementaire= "Comm " . row . ":" . q_commentaireSupplementaire
0 Karma
Reply

taha13
Explorer
‎06-01-2018 06:46 AM

i add the count ,and then the counter ,i still have a prolem with sorting

Comm 11:...
Comm 1:...
Comm 15:...
I used aldo sort desc and asc ,but doesnt work too

0 Karma
Reply

niketn
Legend
‎06-01-2018 07:08 AM

@taha13, add printf() function after streamstats to pad zeros to row count values as sorting is considering the Column as string. The following pads upto three zeros i.e. can sort up to 999 comments.

|  streamstats count as row 
|  eval sno=printf("%03d",row)

Also make sure that the field is not multivalue rather it is single value. You can share your current query if this does not help.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

taha13
Explorer
‎06-01-2018 07:24 AM

@niketnilay
Error in 'eval' command: The 'printf' function is unsupported or undefined.

0 Karma
Reply

taha13
Explorer
‎06-01-2018 07:36 AM 
        | streamstats count as row
        | eval sno =printf("%03d",row)
        | eval q_commentaireSupplementaire= "Comm ".sno.": ".q_commentaireSupplementaire
        | stats VALUES(q_commentaireSupplementaire) AS Commentaire BY qa_noteSatisfaction 
        | sort qa_noteSatisfaction desc
        | rename qa_noteSatisfaction AS Note_Satisfaction
0 Karma
Reply

niketn
Legend
‎06-01-2018 07:52 AM

@taha, which version of Splunk are you on?

instead of printf() use the following eval with case()

|  eval sno=case(len(sno)=1,"00".sno,len(sno)=2,"0".sno,true(),sno)

Also, just to be sure of what your data looks like, I was interested in transforming command before streamstats, that you have posted. Post that piece of search if above eval with case() does not work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...