topic Re: Sort eval-ed field by one of its parent fields in Splunk Search

Is there a way to sort eval-ed field by one of its parent fields?

Dworsnop — Tue, 08 Nov 2022 16:55:19 GMT

Hi all, I need some help sorting an eval field by one of it's components per below.

...

| eventstats count(ID) AS countID by severity, name | eval name_count=name." (".countID.")" | stats values(name_count) AS Signatures count by severity

This gives me something like...

severity Signatures
Critical asig0 (34)
bsig1 (2)
csig2 (76)
High asig3 (1)
bsig4 (23)
csig5 (22)

What I want...

severity Signatures
Critical csig2 (76)
asig0 (34)
bsig1 (2)
High bsig4 (23)
csig5 (22)
asig3 (1)

Is there any way I can sort the Signatures column by the values in the countID field?

Thanks in advance! 🙂

Re: Sort eval-ed field by one of its parent fields

gcusello — Tue, 08 Nov 2022 11:03:27 GMT

Hi @Dworsnop,

please try this:

Ciao.

Giuseppe

Re: Sort eval-ed field by one of its parent fields

Dworsnop — Tue, 08 Nov 2022 13:06:14 GMT

Thanks for the pointers @gcusello . I've used what you've provided and I can extract the 'countID' value but when I try to sort by it all it does is sort the severity column and doesn't appear to do anything with the Signatures one.

Re: Sort eval-ed field by one of its parent fields

gcusello — Tue, 08 Nov 2022 14:04:19 GMT

Hi @Dworsnop,

did you tried to sort by severity and countID desc, as I hinted?

could you share your search and the result you have?

Ciao.

Giuseppe

Re: Sort eval-ed field by one of its parent fields

Dworsnop — Tue, 08 Nov 2022 16:40:27 GMT

Hi @gcusello , here's my full search...

Unfortunately, due to the nature of the information, I can't share the results but I can tell you that the order of the Signatures column hasn't changed. I've even kept the countID column in and the numbers aren't sorted. I've tried "| sort severity, -num(countID)" as well but it does nothing.

Re: Sort eval-ed field by one of its parent fields

gcusello — Wed, 09 Nov 2022 07:39:55 GMT

Hi @Dworsnop,

it isn't possible to have the exact solution that you would,

as a workaround you could have the severity vaue repeated in each row:

or changing the order in the Signature field:

but in this case it's literaly ordinated, so 100 comes before 20.

Ciao.

Giuseppe

Re: Sort eval-ed field by one of its parent fields

Dworsnop — Wed, 09 Nov 2022 10:35:20 GMT

Hi @gcusello .

Thanks very much for the help, in the end I went with...

... severity="Critical"

| eventstats count(ID) AS countID by severity, Name

| eval name_count=Name." (".countID.")"

| rex field=name_count "$(?<newcountID>\d+)$$"

| stats count by name_count, newcountID

| sort – newcountID

| fields - newcountID, count

| rename name_count AS "Signatures (count)"

Re: Sort eval-ed field by one of its parent fields

gcusello — Wed, 09 Nov 2022 10:50:27 GMT

Hi @Dworsnop,

ok good for you, only one detail: if you filter by severity, you don't need severity as key in the stats command.

Anyway, if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated;-)

Re: Sort eval-ed field by one of its parent fields

gcusello — Wed, 09 Nov 2022 11:40:10 GMT

Hi @Dworsnop,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉