topic Re: How to sort the column names alphabetically at the end of the search? in Splunk Search

How to sort the column names alphabetically at the end of the search?

HattrickNZ — Tue, 12 Mar 2019 01:00:40 GMT

This is my sample search:

| makeresults 
     | eval data = "
1-Sep    657 34 35;
2-Sep    434 34 35;
    " 
     | makemv delim=";" data
     | mvexpand data
     | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
     | fields + Date kpi1 kpi2 kpi3 | fields - _time
     | search kpi1 = * 
     |rename kpi1 as  "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
     | rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
     | rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
     | <command(s) goes here>

This gives me the columns in the following order - left to right

1/

Date    
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times  
Incoming Calls in Mobile Office Directions - Common Resources Application Failures  
Incoming Calls in Mobile Office Directions - Assignment Failures

Is there a command that I can add on that will sort these alphabetically to give me
2/

Date    
Incoming Calls in Mobile Office Directions - Assignment Failures
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times
Incoming Calls in Mobile Office Directions - Common Resources Application Failures

I know I can reorder the kpis in this part of the search
| fields + Date kpi1 kpi2 kpi3 |
But my question is more about after that and putting a specific command or commands to sort it alphabetically as 2/ above.
| <command(s) goes here>

Re: How to sort the column names alphabetically at the end of the search?

chrisyounger — Tue, 12 Mar 2019 01:06:39 GMT

You can use * with table and it will do it in ascii order:

e.g. |table * (but this might have fields you need to remove with |fields -)

or |table Date Inc*

All the best

Re: How to sort the column names alphabetically at the end of the search?

niketn — Tue, 12 Mar 2019 01:42:20 GMT

@chrisyoungerjds rather than using table a fields can be used directly, the same is anyways there in the current query:

| makeresults 
| eval data = "
 1-Sep    657 34 35;
 2-Sep    434 34 35;
     " 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)" 
| fields - _time 
| search kpi1 = * 
| rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
| rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
| rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
| fields + Date "Incoming Calls in Mobile Office Directions - *"

Re: How to sort the column names alphabetically at the end of the search?

chrisyounger — Tue, 12 Mar 2019 02:01:56 GMT

Yes you are absolutly right. Better to use fields over table