Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you sort by a specific order by the values of a field?

johnward4
Communicator
‎11-17-2018 09:38 AM

I am trying to figure out if there's a way to sort my table by the Fields "Whs" which have values of :
GUE -- I want to show rows for GUE data first
GUR -- followed by GUR

I also need to sort by a field called "Type" and the sort needs to follow this order of type
Full_CS
Ovsz
PTL
B_Bay
Floor

then repeat in that order showing rows for GUR.

Here's my current query 

index=test sourcetype="example" 
| stats values(Machine) as Machine, values(Whs) as Whs, values(Dscrptn) as Dscrptn, values(Percent_Sorted) as Percent_Sorted, sum(Total_CS) as Total_CS, sum(Online_CS) as Online_CS, sum(Inducted_CS) as Inducted_CS, sum(FullCSUnits) as FullCSUnits, sum(Full_CS) as Full_CS, sum(BTS) as BTS, sum(Total_Packed) as Total_Packed, sum(Total_VAS) as Total_VAS, sum(In_VAS) as In_VAS, sum(Total_Non_Vas) as Total_Non_Vas, sum(eval(Total_Units_Machine - (Total_Units_Machine * Percent_Sorted / 100))) as RmnngUnits by Wave, _time
| table Machine, Whs, Wave, Dscrptn, Percent_Sorted, RmnngUnits, Total_CS, Online_CS, Inducted_CS, FullCSUnits, Full_CS, BTS, Total_VAS, Total_Non_Vas, In_VAS, Total_Packed
| sort WHS, Type
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-17-2018 09:47 AM

Hi johnward4,
if you want to sort in alphabetical order, your search is aleady Ok,
if instead you want to sort in a different order, you have to use an hide field, in other words:

 index=test sourcetype="example" 
 | stats values(Machine) as Machine, values(Whs) as Whs, values(Dscrptn) as Dscrptn, values(Percent_Sorted) as Percent_Sorted, sum(Total_CS) as Total_CS, sum(Online_CS) as Online_CS, sum(Inducted_CS) as Inducted_CS, sum(FullCSUnits) as FullCSUnits, sum(Full_CS) as Full_CS, sum(BTS) as BTS, sum(Total_Packed) as Total_Packed, sum(Total_VAS) as Total_VAS, sum(In_VAS) as In_VAS, sum(Total_Non_Vas) as Total_Non_Vas, sum(eval(Total_Units_Machine - (Total_Units_Machine * Percent_Sorted / 100))) as RmnngUnits by Wave, _time
 | table Machine, Whs, Wave, Dscrptn, Percent_Sorted, RmnngUnits, Total_CS, Online_CS, Inducted_CS, FullCSUnits, Full_CS, BTS, Total_VAS, Total_Non_Vas, In_VAS, Total_Packed
| eval rank=case(Type="Full_CS","1",Type="Ovsz","2",Type="PTL","3",Type="B_Bay","4",Type="Floor",5")
| sort WHS, Rank
| fields - Rank

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-17-2018 09:47 AM

Hi johnward4,
if you want to sort in alphabetical order, your search is aleady Ok,
if instead you want to sort in a different order, you have to use an hide field, in other words:

 index=test sourcetype="example" 
 | stats values(Machine) as Machine, values(Whs) as Whs, values(Dscrptn) as Dscrptn, values(Percent_Sorted) as Percent_Sorted, sum(Total_CS) as Total_CS, sum(Online_CS) as Online_CS, sum(Inducted_CS) as Inducted_CS, sum(FullCSUnits) as FullCSUnits, sum(Full_CS) as Full_CS, sum(BTS) as BTS, sum(Total_Packed) as Total_Packed, sum(Total_VAS) as Total_VAS, sum(In_VAS) as In_VAS, sum(Total_Non_Vas) as Total_Non_Vas, sum(eval(Total_Units_Machine - (Total_Units_Machine * Percent_Sorted / 100))) as RmnngUnits by Wave, _time
 | table Machine, Whs, Wave, Dscrptn, Percent_Sorted, RmnngUnits, Total_CS, Online_CS, Inducted_CS, FullCSUnits, Full_CS, BTS, Total_VAS, Total_Non_Vas, In_VAS, Total_Packed
| eval rank=case(Type="Full_CS","1",Type="Ovsz","2",Type="PTL","3",Type="B_Bay","4",Type="Floor",5")
| sort WHS, Rank
| fields - Rank

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

johnward4
Communicator
‎11-17-2018 12:28 PM

Thank you @cusello ! this is exactly what I needed

0 Karma
Reply
Solved! Jump to solution

Keysofsandiego
Path Finder
‎09-06-2019 02:02 PM

The Last 2 fields should be lowercase rank's (not camelcase Rank). as the eval is creating a new field called "rank"

 | sort WHS, rank
 | fields - rank

That being said DUDE ThAnKs! YoU ToTaLlY gOt Me WhAt I nEeDeD! 
=)

UPVOTE HIS ANSWER PLZ!

0 Karma
Reply
Solved! Jump to solution

johnward4
Communicator
‎11-17-2018 09:40 AM

alt text

Here's an example from a dashboard I'm trying to replicate in Splunk.

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...