How to edit my search to add commas to the numbers...

elijahputnam · ‎09-12-2016

Hello,

I have two questions.

1) In my search below, I am trying to add Commas to the numbers, but the Totals field disappears when the search is using commas. When I remove stats count by action | eval count = tostring(count, "commas"), everything shows up as expected, but without the commas.

index=pan_logs  sourcetype=pan:threat  log_subtype!=url action=allowed OR action=blocked severity!=informational severity!=low| stats count by action | eval count = tostring(count, "commas") | fields action count | rename action AS "Action", count as "Attempts" | addcoltotals|fillnull value="Total""

2) I would like to rename the row names. As you can see, I have already successfully renamed the columns, but I want to capitalize the rows as well.

Thank you

woodcock · ‎09-16-2016

The problem is that once you convert "count" from an integer to a "string", any "adding" function can no longer work. So move the tostring to the end like this:

index=pan_logs  sourcetype=pan:threat  log_subtype!=url action=allowed OR action=blocked severity!=informational severity!=low
| stats count AS Attempts BY action
| addcoltotals
| fillnull value="Total""
| eval count = tostring(Attempts, "commas")
| rename action AS "Action"

sundareshr · ‎09-12-2016

Try this

 index=pan_logs  sourcetype=pan:threat  log_subtype!=url action=allowed OR action=blocked severity!=informational severity!=low | stats count by action | fields action count | rename action AS "Action", count as "Attempts" | addcoltotals|fillnull value="Total"  | eval Action=upper(Action) | eval count = tostring(count, "commas")

How to edit my search to add commas to the numbers and rename the row names?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!