topic Re: Sorting Rex extracted test in Splunk Search

Sorting Rex extracted test

nithinthomas — Thu, 02 Mar 2017 14:29:01 GMT

My rex output extract gives following output in different environment. Is there any query to sort the returned text so that we get similar output all the time?

DocumentID=xxxx,ResponseType=xxxx,PO=xxxx,VID=xxxxx

DocumentID=xxxx,PO=xxxxx,VID=xxxx,ResponseType=xxxxx

Re: Sorting Rex extracted test

JDukeSplunk — Thu, 02 Mar 2017 17:57:38 GMT

Are you just wanting to order your fields ?

Maybe add

|stats count(DocumentID) as COUNT by DocumentID, ResponseType,PO,VID

Or whatever order you want them in or counted by.

Re: Sorting Rex extracted test

somesoni2 — Thu, 02 Mar 2017 19:39:23 GMT

Assuming the whole string DocumentID=xxxx,ResponseType=xxxx,PO=xxxx,VID=xxxxx (and other value) are extracted from raw data as part of a single value field, the rex command itself can't change the value available in raw data. You may manipulate the value after extractions. Following example will sort the value based on the key names inside your field (e.g. DocumentID, ResponseType etc) and always return in order DocumentID=xxxx,PO=xxxx,ResponseType=xxxx,VID=xxxxx

your base search | rex "...(?<FieldNameHere>...." | makemv FieldNameHere delim="," | eval FieldNameHere=mvsort(FieldNameHere) | nomv FieldNameHere

Re: Sorting Rex extracted test

nithinthomas — Fri, 03 Mar 2017 06:31:05 GMT

Thanks Duke! Since the extracted text was part of a single value field this solution didn't work.

Appreciate your response though!

Re: Sorting Rex extracted test

nithinthomas — Fri, 03 Mar 2017 06:32:01 GMT

This worked. Thank you!

you are awesome!