- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Append string to results in table (chart)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am working on advanced HTML dashboards and trying to display data from a search in this way:
123 Apples
34 Pears
278 Oranges
This is my search
products=fruits | eval fruitName=if(fruit_number="01","Apples",if(fruit_number ="02","Pears",if(fruit_number ="03","Oranges",NULL))) | chart dc(sales) by fruit_number
Which gives me
123
34
278
How do I append those fuits names to results?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, try this then
products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruitName
| table sales fruitName
OR
products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, try this then
products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruitName
| table sales fruitName
OR
products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruitName
| eval result = tostring(sales) + " " + fruitName
| table result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never mind @lguinn, right after I posted that comment I tried couple of things and made it work.
products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| stats dc(sales) as sales by fruit_number fruitName
| eval result = tostring(sales) + " My Custom String " + fruitName
| table result | fields - fruit_number fruitName
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @lguinn, it is sure getting closer. One thing though, I need to sort results by fruitNumber while showing fruitName in results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do this
products=fruits
| eval fruitName=case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| chart dc(sales) by fruitName
OR
products=fruits
| eval fruitName= tostring(fruit_number) + " " + case(fruit_number="01","Apples",
fruit_number ="02","Pears",
fruit_number ="03","Oranges",
1==1,null())
| chart dc(sales) by fruitName
I used the case function instead of the if function because I like it better, but your if function is fine as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I didn't explain it clear. Say my output should be:
123-This many Apples
34-This many Pears
278-This many Oranges
As I mentioned it is for HTML dashboard, so when joining the values I need special characters for later formatting.
Thank you
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
