topic Re: how to maintain order in stats command in Splunk Search

how to maintain order in stats command

RSS_STT — Thu, 27 Mar 2025 13:49:20 GMT

Fields value of 2nd and 3rd events are enter changing. please suggest how to maintain order in Splunk status command. I can't use any other fields in stats by clause than token_id.

Sample Event:

Search Result output
toke_id	key	keyword	doc_no
c75136c4-bdbc-439b	2931	DK-BAL-AP-00613	GSSAGGOS_QA-2931
c75136c4-bdbc-439b	2932	DK-BAL-AP-00847	GSSAGGOS_QA-2932
c75136c4-bdbc-439b	2933	DK-Z13-SW-00002	GSSAGGOS_QA-2933

Expected Output
toke_id	key	keyword	doc_no
c75136c4-bdbc-439b	2931	DK-BAL-AP-00613	GSSAGGOS_QA-2931
c75136c4-bdbc-439b	2932	DK-Z13-SW-00002	GSSAGGOS_QA-2932
c75136c4-bdbc-439b	2933	DK-BAL-AP-00847	GSSAGGOS_QA-2933

Re: how to maintain order in stats command

richgalloway — Thu, 27 Mar 2025 16:10:24 GMT

The output of the values ~~and list~~ functions are always in lexicographical order. That destroys any relationship that might exist between/among fields.

The solution is to combine related fields into a single field before stats and then break them apart again afterwards.

Re: how to maintain order in stats command

RSS_STT — Thu, 27 Mar 2025 14:27:55 GMT

split function proving error.

Re: how to maintain order in stats command

ITWhisperer — Thu, 27 Mar 2025 15:17:20 GMT

values() sorts (and dedups) - use the list() function (which neither sorts nor dedups)

Re: how to maintain order in stats command

richgalloway — Thu, 27 Mar 2025 16:11:48 GMT

@RSS_STT wrote:
split function proving error.

I'm not sure what to make of that, but take it you get an (undescribed) error with the code I provided. I found a missing argument so please try the revised SPL.