topic Re: eval to create temporary field for sorting in Splunk Search

eval to create temporary field for sorting

surekhasplunk — Tue, 29 Sep 2020 16:46:42 GMT

I have a filed1 whose values are like below

TS - asfdfe sdrerw
TS - ieirrrr werr
TS - ierr werflll
BS - errriowr erer
AB - erewr erer
CS - ierwrr her

I want to create a temporary filed to sort these values
eval temp_field1= field1 where field1=TS*
eval temp_field2= field1 where field1=!TS*

then in my query i want to sort temp_field1 and temp_field2 separately.

Re: eval to create temporary field for sorting

elliotproebstel — Tue, 29 Sep 2020 16:46:44 GMT

The creation of temporary fields will be pretty straightforward:

| eval temp_field1=if(field1="TS*", field1, NULL) 

| eval temp_field2=if(field1="TS*", NULL, field1)

And then you can sort by either field:
| sort temp_field1 OR |sort temp_field2

Re: eval to create temporary field for sorting

gcusello — Mon, 13 Nov 2017 16:20:18 GMT

Hi surekhasplunk,
did you already tested

| eval temp_field1=if(field1=TS*,field1," "), temp_field2=if(field1!=TS*,field1," ")

In this way you can sort them as you like

Bye.
Giuseppe

Re: eval to create temporary field for sorting

somesoni2 — Mon, 13 Nov 2017 16:48:39 GMT

You need to use either match or like function of eval to generate your temporary fields like this.

your current search with field 'field1'
| eval temp_field1=if(match(field1,"^TS"),field1,null())
| eval temp_field2=if(NOT match(field1,"^TS"),field1,null())

your current search with field 'field1'
| eval temp_field1=if(like(field1,"TS%"),field1,null())
| eval temp_field2=if(NOT like(field1,"TS%"),field1,null())

Sorting can be done by any field (or in specific order of combination of those fields) using sort command.

Re: eval to create temporary field for sorting

niketn — Mon, 13 Nov 2017 16:51:40 GMT

@surekhasplunk, I hope you are trying to sort all field values containing TS first in ascending order. Then you want to add remaining values sorted afterwards.

Please try out the following run anywhere search based on your sample data. I have jumbled TS and other fields for testing sort.

|  makeresults
|  eval data="CS - ierwrr her;TS - defirrrr werr;TS - abcr werflll;BS - errriowr erer;AB - derwr erer;TS - asfdfe sdrerw"
|  eval data=split(data,";")
|  mvexpand data
|  eval field1=mvindex(data,0)
|  table field1
|  sort field1
|  eval sortOverride=case(match(field1,"^TS - "),"Y",true(),"N")
|  appendpipe [| where sortOverride="N" | eval sortOverride="Y" ]
|  search sortOverride="Y"

@somesoni2, I was so blown away by your use of appendpipe yesterday that I wanted to try it myself... thanks for teaching a new trick 🙂

Re: eval to create temporary field for sorting

surekhasplunk — Tue, 14 Nov 2017 12:59:08 GMT

Hi @niketnilay and @somesoni2

Thanks but it isn't working as expected its just giving me each line 6 times without calculating anything.
am getting like below :
CS - ierwrr her Null%
... 6 times Null%
CS - ierwrr her
TS - defirrrr werr
... 6times
TS - defirrrr werr
etc.

if I have 2 values in data separated by ; then mvexpand is giving me 4 values in the result .. if 3 values then 6 like that. How to get single values

field1 value "^TS" sum them addtotals and then rest of the rows and at the end sum total of all lines. This is what I need.

Re: eval to create temporary field for sorting

niketn — Tue, 14 Nov 2017 20:24:14 GMT

@surekhasplunk, first Un-accept the answer, if your query is not resolved, so that this question flags as unanswered for other community members as well.

In my run anywhere example the pipes till | table field1 were just used to mock sample data as per your question. You dont need to use those pipes.

You would need to write your own Splunk search query with required transforming command to output the table. Then continue with commands in the answer to be applied on field1 (as per the question).
Please try out and confirm. Try out other answers suggested by Guiseppe and Somesh as well to see if caters to your needs and resolves your issue or not.