Splunk Search

how to place commas in the output of a chart with columns that varies depending on the search

jonathan_yan5
Explorer

how to place commas in the output of a chart with columns that varies depending on the search (example is date). Sample search would be index=indexname | chart count(fieldname) over xfieldname by date_mday. Results are numerals which i intend to place commas as a thousands separator but was unable to do so because i do not know how would i command a tostring to a variable column name. please help.

0 Karma
1 Solution

woodcock
Esteemed Legend

First of all, DO NOT use the "free" (but always wrong) date_* fields, calculate your own like this

... | eval date_mday = strftime(_time, "%d")

As far as commas, do this:

...| foreach * [ eval <<FIELD>>= if(isnum($<<FIELD>>$), tostring($<<FIELD>>$, "commas"), $<<FIELD>>$) ]

View solution in original post

woodcock
Esteemed Legend

First of all, DO NOT use the "free" (but always wrong) date_* fields, calculate your own like this

... | eval date_mday = strftime(_time, "%d")

As far as commas, do this:

...| foreach * [ eval <<FIELD>>= if(isnum($<<FIELD>>$), tostring($<<FIELD>>$, "commas"), $<<FIELD>>$) ]

jonathan_yan5
Explorer

did not seem to get the solution applying the above formula. here is my search:

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") | chart eval(round(count(PRODUCT)2.5,2)) over TYPE by YMD useother=f limit=500 | addtotals col=true 2016- labelfield=TYPE label="Product Type Totals" fieldname="Totals"

i need to place commas on all numeric values inside columns and totals

0 Karma

jonathan_yan5
Explorer

to add, the sum of "tostring" values when adding commas are not reflected on totals

0 Karma

woodcock
Esteemed Legend

I just tried it (again) and it worked perfectly. Try this:

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") 
| chart eval(round(count(PRODUCT)*2.5,2)) over TYPE by YMD useother=f limit=500
| addtotals col=true 2016-* labelfield=TYPE label="Product Type Totals" fieldname="Totals"
| foreach * [ eval <<FIELD>>= if(isnum($<<FIELD>>$), tostring($<<FIELD>>$, "commas"), $<<FIELD>>$) ]
0 Karma

jonathan_yan5
Explorer

thanks woodcock it worked using manual search.
one problem though, on my dashboard, i have a timerange ticker. the search we have (with dollar sign) does not load on a time range ticker dashboard. maybe the value of the time range ticker is being replaced on our search with dollar signs?

the panel is showing "search is waiting for input..."

0 Karma

woodcock
Esteemed Legend

Escape the dollar-signs by adding a second one next to each.

0 Karma

jonathan_yan5
Explorer

Wow! thanks a lot, it worked!

0 Karma

sundareshr
Legend

Try this

... | foreach * [eval <<FIELD>>=if("<<FIELD>>" == "date_mday", <<FIELD>>, tostring(round('<<FIELD>>', 2), "commas")))]
0 Karma

jonathan_yan5
Explorer

did not seem to get the solution applying the above formula. here is my search:

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") | chart eval(round(count(PRODUCT)2.5,2)) over TYPE by YMD useother=f limit=500 | addtotals col=true 2016- labelfield=TYPE label="Product Type Totals" fieldname="Totals"

i need to place commas on all numeric values inside columns and totals

0 Karma

jonathan_yan5
Explorer

to add, the sum of "tostring" values when adding commas are not reflected on totals

0 Karma

sundareshr
Legend

Try this

index=indexname | eval YMD=strftime(_time,"%Y-%m-%d") | chart sum(eval(round((PRODUCT*2.5),2))) over TYPE by YMD useother=f limit=500 | addtotals col=true 2016- labelfield=TYPE label="Product Type Totals" fieldname="Totals" |  foreach * [eval <<FIELD>>=if("<<FIELD>>" == "YMD", <<FIELD>>, tostring('<<FIELD>>', "commas")))]
0 Karma

jonathan_yan5
Explorer

hi sundareshr thanks for your effort. however using your search does not show the "TYPE" column on the output.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...