multivalue field not ordered properly

Dantuzzo — Fri, 23 Dec 2022 16:38:53 GMT

Hi,

i'm trying to calculate the average events weekly by their severity and comparing the daily amount with the weekly average, i created a multivalue field but the values in the field get reordered and they don't match the rest of the data (the severity multivalue field), I tried using mvsort() but it did not work, what did i do wrong? Thank you for any help. Query, results and expected results below:

results:

_time	severity	AlertCount	average	change_percent
2022-12-23	High Informational	3 8	3.25 3.67	-22% 59%
2022-12-22	High	1	3.25	-225%
2022-12-21	High Informational	3	3.25 3.67	-22% -8%
2022-12-20	High	4	3.25	19%
2022-12-19	High Informational Medium	1 2 5	2.00 3.25 3.67	-100% -62% 27%

expected results:

_time severity AlertCount average change_percent

_time	severity	AlertCount	average	change_percent
2022-12-23	High Informational	3 8	3.25 3.67	-22% 59%
2022-12-22	High	1	3.25	-225%
2022-12-21	High Informational	3	3.25 3.67	-8% -22%
2022-12-20	High	4	3.25	19%
2022-12-19	High Informational Medium	1 2 5	3.25 3.67 2.00	-225% -83,5% 60%

Re: multivalue field not ordered properly

richgalloway — Sat, 24 Dec 2022 00:06:17 GMT

The values function returns values in lexicographical order with no attempts made to retain any associations to other fields. The mvsort function won't help because it sorts the values the exact same way.

topic Re: multivalue field not ordered properly in Splunk Search

multivalue field not ordered properly

Re: multivalue field not ordered properly