topic Re: custom sort field values in Splunk Search

custom sort field values

corehan — Thu, 30 Sep 2021 13:02:06 GMT

Hello dears,

How can i sort these field values ?

Field = "port"

0/1/0/2/

0/8/0/7/

0/2/0/3/

0/5/0/2/

0/6/0/3/

0/16/0/2

0/18/0/6

0/16/0/5

0/4/0/2/

0/6/0/2/

0/18/0/2

0/12/0/4

0/3/0/7/

Regards.

Re: custom sort field values

richgalloway — Thu, 30 Sep 2021 13:10:06 GMT

The sort command will sort them for you.

| sort port

Re: custom sort field values

corehan — Thu, 30 Sep 2021 13:11:36 GMT

this view also sort port but it is not sorting .

Re: custom sort field values

richgalloway — Thu, 30 Sep 2021 13:25:08 GMT

Please use more words. What exactly are you trying to do? How exactly are you trying to do it? What are the results? What results did you expect? What problem are you trying to solve?

Re: custom sort field values

corehan — Thu, 30 Sep 2021 14:08:00 GMT

these are port numbers and i want sort port with same numbers,

like this,

0/1/0/0

0/2/1/1

0/2/2/1

Regards.

Re: custom sort field values

PickleRick — Thu, 30 Sep 2021 14:50:35 GMT

I suppose your problem is that "normal" sort sorts the values as strings (lexicographically) and you want to have them sorted with numerical values of each "field".

Assuming you have your data in a field called "a"

<your_search> | rex field=a "(?<d1>\d+)/(?<d2>\d+)/(?<d3>\d+)/(?<d4>\d+)" 
| sort d1 d2 d3 d4 
| eval a=d1."/".d2."/".d3."/".d4

Re: custom sort field values

corehan — Thu, 30 Sep 2021 15:07:48 GMT

Sorry, i couldn't. Here is the real search query and result. I want the group or sort OLT_Port values;

<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT |sort -OLT_Port
| where Toplam_Sikayet >= 10

Re: custom sort field values

PickleRick — Thu, 30 Sep 2021 15:15:42 GMT

Ahhh. Again (someone lately had similar problem - wasn't that you?) you're creating one multivalued field. You won't sort your data that way. Even if you managed to sort the data within this one column, there's no way to tell the other multivalued fields to reorder. So that's definitely not something you want.

Do not aggregate the fields.

Just do your stats, sort the data, then aggregate and stats again.

Re: custom sort field values

somesoni2 — Thu, 30 Sep 2021 15:37:42 GMT

Give this a try (using mvsort as the field values are multivalued. Also, moving 'where' filter just after stats, filter should be done as early as possible)

<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT | where Toplam_Sikayet >= 10 | eval OLT_Port=mvsort(OLT_Port)

Re: custom sort field values

corehan — Thu, 30 Sep 2021 16:01:37 GMT

King Regards, it's ok now.

Also thank you for all other replays.

I love this community. 🙂

Re: custom sort field values

PickleRick — Thu, 30 Sep 2021 16:56:38 GMT

You're aware that after sorting the order of the port field does not correspond to the order of other mv-fields?

Re: custom sort field values

corehan — Thu, 30 Sep 2021 17:36:46 GMT

Hmm, you are right. Thank you for attention. Just only OLT_Port field values sorting without other mvalues fields. This is problem.

Regards.

Re: custom sort field values

PickleRick — Thu, 30 Sep 2021 17:48:27 GMT

As I wrote before - mvsort sorts only values in a single multivalued field. Other fields have no way of "knowing" how to reorder.

So you need to sort the data when it's still in separate events and only afterwards aggregate them if needed (do you need those multivalued fields at all? As you can see they have ,any drawbacks)

Anyway, you needed something more like

Re: custom sort field values

PickleRick — Thu, 30 Sep 2021 18:04:35 GMT

OK. It seems I probably overcomplicated things.

You're probably good to go with

<base search> |rex field=ONT "^(?P<ONT>........)" | sort ONT | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT | where Toplam_Sikayet >= 10

You might want to replace the sorting part with my other solution if it's not sorting numericaly.

Re: custom sort field values

somesoni2 — Thu, 30 Sep 2021 18:11:16 GMT

If you want the other fields to be sorted according to field OLT_Port, try this version:

<base search> |rex field=ONT "^(?P<ONT>........)" | stats count by Date OLT Saat ONT H REQUESTNAME | sort Date OLT ONT | stats sum(count) as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT | where Toplam_Sikayet >= 10

Re: custom sort field values

corehan — Thu, 30 Sep 2021 18:53:41 GMT

Hello , It is working which i want but latest solution is more effortless and same result. just only adding | sort ONT.

So i will accept this.

Thank you very much, you are very kind.

Regards.

Re: custom sort field values

corehan — Thu, 30 Sep 2021 18:56:07 GMT

King regards , thank you again.