Archive

Is there a function that randomly shuffles results?

Explorer

Similar to sort, except I'm looking for a function to randomly shuffle the results. This achieves the same result as the Linux shuf command.

Tags (1)
0 Karma

Esteemed Legend

Like this:

 ... | eval _random=random()
 | sort 0 _random

Or this:

 ... | eval _random=md5(_raw)
 | sort 0 _random

Explorer

Looks like the "0" argument to sort ensures all results are returned, even if the number is greater than 10,000:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Sort

Is my interpretation correct?

0 Karma

Esteemed Legend

Yes, this is very important; never run sort without a number.

0 Karma

Path Finder

Hi,

how about something like this?

index=yourIndex
| eval randomValue=random()
| sort randomValue
| table _time _raw randomValue