Splunk Search

adding commas to numbers, chart+by breaks it.

colinj
Path Finder

Howdy all,

I'm using the following search

index="summary_collaboration" 
source="Inbound Messages Accepted & Delivered" 
OR source="Inbound Messages Refused" 
| bucket span=1d _time 
| eval formatted_time=strftime(_time, "%x")
| chart count as messages over source by formatted_time
| addtotals fieldname="7 Day Total" col=true label="Daily Total" labelfield=source

to get back data about mail messages. Since we handle a lot I'd like to put some separators in to the numbers. I've tried adding the line

| eval messages=tostring(messages,"commas")

after the chart command and after the addtotals command but neither changes the format of the numbers. However, and this is the tricky bit, if I remove the by formatted_time portion of the chart command the commas appear, if I add it back they go away.

What am I doing wrong?

0 Karma

lguinn2
Legend

Instead of eval, try fieldformat, maybe like this

| eval formatted_time=_time | fieldformat formatted_time=strftime(formatted_time, "%x")

and/or

| fieldformat messages=tostring(messages,"commas")

eval changes the fieldtype from numeric to string. fieldformat changes the visual representation, but the underlying value remains numeric.

0 Karma

miteshvohra
Contributor

Is there a way to "fieldformat" 'commas' in UK format (##,##,###) instead of US format (###,###,###)?

0 Karma

sansay
Contributor

I tried this and it works just fine:
index=_internal per_sourcetype_thruput host=splunkindexer * | timechart span=1d sum(kb) as TotalBytesIndexed | fieldformat TotalBytesIndexedHuman=tostring(TotalBytesIndexed,"commas")

0 Karma

lgmnemesis
Explorer

Does anyone knows why the fieldformat is not working on chart/stats command?
For instance, when trying to change the tooltip format to show value numbers with commas, doing a search like that, doesn't work:
chart sum(RECORD_VALUE) AS Summary by name|fieldformat Summary=tostring(Summary,"commas")

colinj
Path Finder

Even with fieldformat I still get the same behavior and again if I remove the by clause from the chart command I get the commas. I've also tried this with timechart and I see the same behavior.

This is all coming from a summary index where I've been using sistats and sitop to populate the index. Could that make a difference?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...