https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545203#M154400 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232861">@bruceaperez</a>,</P><P>Thank you. Please try below;</P><LI-CODE lang="markup">| rex field=Host "\.(?&lt;host_domain&gt;[^\s]+)" | sort - host_domain count | fields - host_domain</LI-CODE> Wed, 24 Mar 2021 19:01:28 GMT scelikok 2021-03-24T19:01:28Z https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545189#M154392 <P>Hi,</P><P>I'm trying to sort a value on a table from a rex field in Splunk Search.&nbsp; For instance, I have below value:</P><TABLE><TBODY><TR><TD>Date</TD><TD>Host</TD><TD>Count</TD></TR><TR><TD width="292.8px" height="24px">Wed_Mar_03/12/2021_12:30:01_EDT</TD><TD width="164px" height="24px">mn4.cioprd.lc</TD><TD width="49.6px" height="24px">4295</TD></TR><TR><TD width="292.8px" height="24px">Wed_Mar_03/12/2021_12:40:01_EDT</TD><TD width="164px" height="24px">mn3.ciodev.lc</TD><TD width="49.6px" height="24px">2182</TD></TR><TR><TD width="292.8px" height="24px">Wed_Mar_03/12/2021_12:30:01_EDT</TD><TD width="164px" height="24px">hive3.CIOPRD.LC</TD><TD width="49.6px" height="24px">1273</TD></TR><TR><TD width="292.8px" height="24px">Wed_Mar_03/12/2021_12:30:01_EDT</TD><TD width="164px" height="24px">hive2.cioprd.lc</TD><TD width="49.6px" height="24px">1202</TD></TR><TR><TD width="292.8px" height="24px">Wed_Mar_03/12/2021_12:40:01_EDT</TD><TD width="164px" height="24px">mn4.ciodev.lc</TD><TD width="49.6px" height="24px">1118</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I would like to sort this by Host starting with ".cioprd.local".&nbsp; The table should look like this.</P><TABLE width="529px"><TBODY><TR><TD>Date</TD><TD>Host</TD><TD>Count</TD></TR><TR><TD width="302.4px" height="38px">Wed_Mar_03/12/2021_12:30:01_EDT</TD><TD width="164px" height="38px">mn4.cioprd.lc</TD><TD width="61.6px" height="38px">4295</TD></TR><TR><TD width="302.4px" height="42px">Wed_Mar_03/12/2021_12:30:01_EDT</TD><TD width="164px" height="42px">hive2.cioprd.lc</TD><TD width="61.6px" height="42px">1202</TD></TR><TR><TD width="302.4px" height="38px">Wed_Mar_03/12/2021_12:30:01_EDT</TD><TD width="164px" height="38px">hive3.CIOPRD.LC</TD><TD width="61.6px" height="38px">1273</TD></TR><TR><TD width="302.4px" height="38px">Wed_Mar_03/12/2021_12:40:01_EDT</TD><TD width="164px" height="38px">mn3.ciodev.lc</TD><TD width="61.6px" height="38px">2182</TD></TR><TR><TD width="302.4px" height="36px">Wed_Mar_03/12/2021_12:40:01_EDT</TD><TD width="164px" height="36px">mn4.ciodev.lc</TD><TD width="61.6px" height="36px">1118</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I tried the using the eval from this <A href="https://www.splunk.com/en_us/blog/tips-and-tricks/order-up-custom-sort-orders.html" target="_self">doc,</A> but no luck.&nbsp; Can you please help me on this?&nbsp; Thanks.</P> Wed, 24 Mar 2021 17:05:55 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545189#M154392 bruceaperez 2021-03-24T17:05:55Z https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545196#M154397 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232861">@bruceaperez</a>,</P><P>Your sort by criteria is not certain and I couldn't guess it by looking at your output sample. Do you want to extract one part of host? If yes which part?&nbsp;</P> Wed, 24 Mar 2021 17:48:05 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545196#M154397 scelikok 2021-03-24T17:48:05Z https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545198#M154398 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;- i want to sort it by host and I want to arrange it by environment.&nbsp;Basically, I want to arrange it first with strings containing "cioprd.lc" then "ciodev.lc".&nbsp; After I have arranged the host on this manner, then I will have to sort the Count in descending order.</P> Wed, 24 Mar 2021 18:04:02 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545198#M154398 bruceaperez 2021-03-24T18:04:02Z https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545203#M154400 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232861">@bruceaperez</a>,</P><P>Thank you. Please try below;</P><LI-CODE lang="markup">| rex field=Host "\.(?&lt;host_domain&gt;[^\s]+)" | sort - host_domain count | fields - host_domain</LI-CODE> Wed, 24 Mar 2021 19:01:28 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545203#M154400 scelikok 2021-03-24T19:01:28Z https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545233#M154410 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp; - it seems it didn't work.&nbsp; Here's my search command.</P><P>&nbsp;</P><P><EM>....&nbsp;| rex field=_raw "(?&lt;Date&gt;[^\|]+)\|(?&lt;Host&gt;[^\|]+)\| (?i)Count=(?&lt;count&gt;[^\|]+)"</EM><BR /><EM>| fields + Date, Host, count</EM><BR /><EM>| search "mn4.ciodev.lc" OR "mn3.ciodev.lc" OR "hive3.CIOPRD.LC" OR "hive2.cioprd.lc" OR "mn4.cioprd.lc"</EM><BR /><EM>| eval Date = strptime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z") | sort 0 - Date | eval Date = strftime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z")</EM><BR /><EM>| table Date, Host, count</EM><BR /><EM>| dedup Host</EM></P> Wed, 24 Mar 2021 22:41:55 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545233#M154410 bruceaperez 2021-03-24T22:41:55Z https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545254#M154415 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232861">@bruceaperez</a>,</P><P>I think the problem was uppercase environment. Below changing environment to lowercase should work for you.</P><LI-CODE lang="markup">| rex field=Host "\.(?&lt;host_domain&gt;[^\s]+)" | eval host_domain=lower(host_domain) | sort - host_domain count | fields - host_domain</LI-CODE> Thu, 25 Mar 2021 04:28:36 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Column-Value-in-Table-from-Rex-Field/m-p/545254#M154415 scelikok 2021-03-25T04:28:36Z