Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to sort strings based on number character?

POR160893
Builder
‎05-03-2022 03:37 AM

Hi,

I have a field which is a concatenation of a URL and a Sequence number, e.g. /google.ie:23 or /ebay.com:43.

I need to order this string field in descending order base based on the string number at the end of the field and then create 2 fields "To" and "From" showing:

To                                From
/yahoo.ie:1             /google.ie:2
/google.ie:2             /facebook.ie:3
.............................


At the moment, I am able to do the concatenation, but I am unable to sort on the numbers or create the required "To" or "From" fields:
index = .....
| eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S")
| convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M"
| strcat URL_PATH ":" SEQUENCE combo_time
| table combo_time


Can you please help?



Many thanks,
P

0 Karma
Reply

POR160893
Builder
‎05-03-2022 07:36 AM

Hey,

Yes, I sorted on SEQUENCE. This is where I am currently at:

......
| eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S")
| convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M"
| strcat URL_PATH ":" SEQUENCE combo_time
| table combo_time, SEQUENCE
| eval temp = tonumber(SEQUENCE)
| sort temp
| rename combo_time as from
| eval to = from
| table from,to

The output is as follows:


For the "to" field, I need to remove the first  number and replace it with the 2nd, and continue doing this until "from" has its last number and "to" has nothing, like this:


from                                                  to
....:1                                                       ......:2
.....2                                                       .......:3
.....:3                                                      .......:4

........................................
.........N                                                  <BLANK>



How can I do this?????


Many thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2022 04:53 AM

Can you not just sort by SEQUENCE?

Reply

POR160893
Builder
‎05-03-2022 05:27 AM

Hey,

Yes, I sorted on SEQUENCE. This is where I am currently at:

......
| eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S")
| convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M"
| strcat URL_PATH ":" SEQUENCE combo_time
| table combo_time, SEQUENCE
| eval temp = tonumber(SEQUENCE)
| sort temp
| rename combo_time as from
| eval to = from
| table from,to

The output is as follows:


For the "to" field, I need to remove the first  number and replace it with the 2nd, and continue doing this until "from" has its last number and "to" has nothing, like this:


from                                                  to
....:1                                                       ......:2
.....2                                                       .......:3
.....:3                                                      .......:4

........................................
.........N                                                  <BLANK>



How can I do this?????

(I gave you Karma for your last message though 😀)


Many thanks!

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top