Solved: Append string to results in table (chart)

ateterine · ‎07-12-2014

Hi,

I am working on advanced HTML dashboards and trying to display data from a search in this way:

123 Apples
34 Pears
278 Oranges

This is my search

products=fruits |  eval fruitName=if(fruit_number="01","Apples",if(fruit_number ="02","Pears",if(fruit_number ="03","Oranges",NULL))) | chart dc(sales) by fruit_number

Which gives me

123
34
278

How do I append those fuits names to results?

Thanks!

lguinn2 · ‎07-13-2014

Okay, try this then

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| table sales fruitName

OR

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result

View solution in original post

lguinn2 · ‎07-13-2014

Okay, try this then

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| table sales fruitName

OR

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result

ateterine · ‎07-14-2014

Never mind @lguinn, right after I posted that comment I tried couple of things and made it work.

products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruit_number fruitName
| eval result = tostring(sales) + " My Custom String " + fruitName
| table result | fields - fruit_number fruitName

Thank you!

ateterine · ‎07-14-2014

Thank you @lguinn, it is sure getting closer. One thing though, I need to sort results by fruitNumber while showing fruitName in results

lguinn2 · ‎07-12-2014

You could do this

products=fruits 
|  eval fruitName=case(fruit_number="01","Apples",
                       fruit_number ="02","Pears",
                       fruit_number ="03","Oranges",
                      1==1,null()) 
| chart dc(sales) by fruitName

OR

products=fruits 
|  eval fruitName= tostring(fruit_number) + " " + case(fruit_number="01","Apples",
                   fruit_number ="02","Pears",
                   fruit_number ="03","Oranges",
                   1==1,null()) 
| chart dc(sales) by fruitName

I used the case function instead of the if function because I like it better, but your if function is fine as well.

ateterine · ‎07-13-2014

Maybe I didn't explain it clear. Say my output should be:

123-This many Apples
34-This many Pears
278-This many Oranges

As I mentioned it is for HTML dashboard, so when joining the values I need special characters for later formatting.

Thank you

Append string to results in table (chart)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life