Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to place commas in the output of a chart with columns that varies depending on the search

jonathan_yan5
Explorer
‎07-04-2016 07:54 AM

how to place commas in the output of a chart with columns that varies depending on the search (example is date). Sample search would be index=indexname | chart count(fieldname) over xfieldname by date_mday. Results are numerals which i intend to place commas as a thousands separator but was unable to do so because i do not know how would i command a tostring to a variable column name. please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-04-2016 08:39 AM

First of all, DO NOT use the "free" (but always wrong) date_* fields, calculate your own like this

... | eval date_mday = strftime(_time, "%d")

As far as commas, do this:

...| foreach * [ eval <<FIELD>>= if(isnum($<<FIELD>>$), tostring($<<FIELD>>$, "commas"), $<<FIELD>>$) ]

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-04-2016 08:39 AM

First of all, DO NOT use the "free" (but always wrong) date_* fields, calculate your own like this

... | eval date_mday = strftime(_time, "%d")

As far as commas, do this:

...| foreach * [ eval <<FIELD>>= if(isnum($<<FIELD>>$), tostring($<<FIELD>>$, "commas"), $<<FIELD>>$) ]
Reply
Solved! Jump to solution

jonathan_yan5
Explorer
‎07-05-2016 04:08 AM

did not seem to get the solution applying the above formula. here is my search:

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") | chart eval(round(count(PRODUCT)2.5,2)) over TYPE by YMD useother=f limit=500 | addtotals col=true 2016- labelfield=TYPE label="Product Type Totals" fieldname="Totals"

i need to place commas on all numeric values inside columns and totals

0 Karma
Reply
Solved! Jump to solution

jonathan_yan5
Explorer
‎07-05-2016 04:10 AM

to add, the sum of "tostring" values when adding commas are not reflected on totals

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2016 07:16 AM

I just tried it (again) and it worked perfectly. Try this:

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") 
| chart eval(round(count(PRODUCT)*2.5,2)) over TYPE by YMD useother=f limit=500
| addtotals col=true 2016-* labelfield=TYPE label="Product Type Totals" fieldname="Totals"
| foreach * [ eval <<FIELD>>= if(isnum($<<FIELD>>$), tostring($<<FIELD>>$, "commas"), $<<FIELD>>$) ]
0 Karma
Reply
Solved! Jump to solution

jonathan_yan5
Explorer
‎07-06-2016 07:41 PM

thanks woodcock it worked using manual search.
one problem though, on my dashboard, i have a timerange ticker. the search we have (with dollar sign) does not load on a time range ticker dashboard. maybe the value of the time range ticker is being replaced on our search with dollar signs?

the panel is showing "search is waiting for input..."

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-06-2016 08:54 PM

Escape the dollar-signs by adding a second one next to each.

0 Karma
Reply
Solved! Jump to solution

jonathan_yan5
Explorer
‎07-07-2016 12:13 AM

Wow! thanks a lot, it worked!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-04-2016 08:11 AM

Try this

... | foreach * [eval <<FIELD>>=if("<<FIELD>>" == "date_mday", <<FIELD>>, tostring(round('<<FIELD>>', 2), "commas")))]
0 Karma
Reply
Solved! Jump to solution

jonathan_yan5
Explorer
‎07-05-2016 04:09 AM

did not seem to get the solution applying the above formula. here is my search:

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") | chart eval(round(count(PRODUCT)2.5,2)) over TYPE by YMD useother=f limit=500 | addtotals col=true 2016- labelfield=TYPE label="Product Type Totals" fieldname="Totals"

i need to place commas on all numeric values inside columns and totals

0 Karma
Reply
Solved! Jump to solution

jonathan_yan5
Explorer
‎07-05-2016 04:10 AM

to add, the sum of "tostring" values when adding commas are not reflected on totals

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-05-2016 04:27 AM

Try this 

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") | chart sum(eval(round((PRODUCT*2.5),2))) over TYPE by YMD useother=f limit=500 | addtotals col=true 2016- labelfield=TYPE label="Product Type Totals" fieldname="Totals" |  foreach * [eval <<FIELD>>=if("<<FIELD>>" == "YMD", <<FIELD>>, tostring('<<FIELD>>', "commas")))]
0 Karma
Reply
Solved! Jump to solution

jonathan_yan5
Explorer
‎07-06-2016 07:47 PM

hi sundareshr thanks for your effort. however using your search does not show the "TYPE" column on the output.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top