- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert a dollar amount field with $ sign, ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to convert a dollar amount field with $ sign, commas and decimals to a number so I can do avg or sum, etc.?
latest funciton works but avg function does not. I believe splunk is treating my Amount field as a text string. Any way to convert a dollar amount to a numeric value?
Thanks,
Rob
Working:
sourcetype="financials-2" | stats latest(Amount) by Account
Account latest(Amount)
1 Advertising $232.62
2 Annual Report $10.00
3 Electric $367.73
4 Gazebo Maintenance $660.00
5 General Maintenance $1,200.00
6 Insurance $1,638.00
7 Lawn Maint - Extra $9,200.00
8 Lawn Maintenance $1,331.00
9 Legal $231.25
10 Mailing Supplies $54.62
Not working - returns null values for avg(Amount):
sourcetype="financials-2" | stats avg(Amount) by Account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strip all the non-numerical characters out 1st. Splunk is treating the values as a string, not a number.
sourcetype="financials-2"
| rex mode=sed field=Amount "s/[^\d\.-]//g"
| stats avg(Amount) as AvgAmount by Account
| eval AvgAmount=if(AvgAmount < 0, "-$".trim(AvgAmount,"-"),"$".AvgAmount)
The last line just reintroduces the $ symbol.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put your search query within <![CDATA[ your search query here ]]> tag. Alternatively, replace '<' with "<".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works great, however in simple xml, Splunk doesn't like the <. I am getting this error message - Encountered the following error while trying to update: In handler 'views': Error parsing XML on line 67: StartTag: invalid element name. Am I missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amt = substr(Amount,2) keeps the $ if the value is negative.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you should keep the decimal dot. Otherwise you'll end up with the the wrong figures.
I suggest the slightly simpler;
... | eval Amt = substr(Amount,2) | convert rmcomma(Amt) | stats avg(Amt) by Account
EDIT: my bad. you did keep it. ... and I didn't remove the comma....
EDIT2: updated above, now without commas.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
