Similar to sort
, except I'm looking for a function to randomly shuffle the results. This achieves the same result as the Linux shuf
command.
Like this:
... | eval _random=random()
| sort 0 _random
Or this:
... | eval _random=md5(_raw)
| sort 0 _random
Looks like the "0" argument to sort ensures all results are returned, even if the number is greater than 10,000:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Sort
Is my interpretation correct?
Yes, this is very important; never run sort
without a number.
Hi,
how about something like this?
index=yourIndex
| eval randomValue=random()
| sort randomValue
| table _time _raw randomValue