Splunk Search

How do I prevent losing the nice formatting of fieldformat after adding xyseries to my stats search?

wang
Path Finder

I have a stats command that correctly formats the count field.

stats count by method client  | fieldformat count=tostring(count,"commas")

However, when I add | xyseries method client count, I lose the nice formatting. I try to rearrange the fieldformat clause to the end, but that didn't help. I get no formatting at all with the numbers. I might as well just use chart count over. The reason I use stats with xyseries is that I thought I can format the numbers this way.

ngatchasandra
Builder

Hi wang,
If i understand your problem, you lost the nice formating of count when you add | xyseries method client count , I try to test it with my search like this index=_internal | stats count by group sourcetype |fieldformat count=tostring(count,"commas") | xyseries group sourcetype count ,i lost also the nice formating, but i rearrange it with query like follow because fieldformat command don't allow to keep the formating, try to run it:

This is work very well!

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas")  | xyseries group sourcetype count
0 Karma

wang
Path Finder

Close but not quite. Adding eval fixed the formatting but sorting now sorts count as strings, not numeric values.

0 Karma

ngatchasandra
Builder

I am working on it!

0 Karma

ngatchasandra
Builder

Hi wang,
I try to sort count in ascending order after converting count as strings with

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count

or sort count by lexigraphically order with

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count) , This both query work fine!

But when i apply xyseries command in this both query, the , the results not change; The results is the same like query that follow:

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + count| xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") |sort + str(count)| xyseries group sourcetype count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype count |sort + count

index=_internal | stats count by group sourcetype | eval count=tostring(count,"commas") | xyseries group sourcetype counter |sort + str count

Please, Don't forget to vote me if my first answer satisfy you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...