topic Sort fieldnames in Splunk Search

Sort fieldnames

skodak — Sun, 12 Jul 2020 00:28:30 GMT

AccountName FAILURE SUCCESS IMPACT LOSS% Total

Account1	2000	149	0.1	11.33	10804
Account2	2081	262	0.10	9.55	2043
Account3	1630	1554	0.01	9.49	1017

Output was from inner join

I want the output like - alignment of field names. Sorting the order of field names.

Before -

AccountName FAILURE SUCCESS IMPACT LOSS% Total

After sorting should be -

AccountName FAILURE SUCCESS Total IMPACT LOSS%

Re: Sort fieldnames

richgalloway — Sun, 12 Jul 2020 00:58:21 GMT

Use the table command to specify the order in which fields should be displayed.

Re: Sort fieldnames

skodak — Sun, 12 Jul 2020 02:49:33 GMT

@richgalloway I have used table in second query and chart in first. I am not getting the desired result.

Re: Sort fieldnames

to4kawa — Sun, 12 Jul 2020 09:18:17 GMT

index=_internal | head 3 | fields _raw _time | streamstats count | eval _raw=case(count=1,"AccountName=Account1,FAILURE=2000,SUCCESS=149,IMPACT=0.1,LOSS%=11.33,Total=10804",count=2,"AccountName=Account2,FAILURE=2081,SUCCESS=262,IMPACT=0.10,LOSS%=9.55,Total=2043" ,count=3,"AccountName=Account3,FAILURE=1630,SUCCESS=1554,IMPACT=0.01,LOSS%=9.49,Total=1017") | fields - count | kv | rename LOSS as "LOSS%" | table AccountName FAILURE SUCCESS Total IMPACT LOSS%

I'm not sure when it can't table.

Re: Sort fieldnames

skodak — Sun, 12 Jul 2020 13:31:02 GMT

@to4kawa I have mutliple Account_NM which will be generated in realtime. The ACCOUNT_NM which I provided was sample data.

Thank you for the info though 🙂

Re: Sort fieldnames

richgalloway — Sun, 12 Jul 2020 17:13:04 GMT

The table command is the one to use to re-order fields for display.
Please share your query so we can see what may be throwing things off.