Order by and group by in splunk to sort event colu...

swetar · ‎07-26-2018

2018/17/25 19:37:27 Field1="0" GROUP_ID="A" FIELD_TEXT="Select"
2018/17/25 10:30:17 Field1="0"GROUP_ID="B" FIELD_TEXT="name"
2018/17/25 06:9:00 Field1="2" GROUP_ID="A"FIELD_TEXT="from "
2018/17/25 00:00:00 Field1="4" GROUP_ID="B"FIELD_TEXT="table"
2018/17/25 00:00:00 Field1="4" GROUP_ID="A"FIELD_TEXT="table2"

Required o/p
GROUP_ID Field_TEXT
A SELECT from table2
B Name table

I wanted to display the FIELD_TEXT value order by Field1 and group by group id
CAn any one suggest me, how can I achieve this

jplumsdaine22 · ‎07-27-2018

Not 100% sure what you're after but Sstats and sort is all you should need.

... | stats values(FIELD_TEXT) AS FIELD_TEXT by GROUP_ID Field1
| sort Field1

This will give you something like this:

GROUP_ID Field1 FIELD_TEXT
A        0      Select
B        0      name
A        2      from
A        4      table2
B        4      table

If thats not what you need,

|  stats list(FIELD_TEXT) as FIELD_TEXT list(Field1) as Field1 by GROUP_ID

will give you something like this:

GROUP_ID    FIELD_TEXT      Field1
A           Select from table2  0 2 4
B            name table     0 4

If you're coming from a SQL back ground this document may help you adjust to Splunk: http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/SearchReference/SQLtoSplunk

Order by and group by in splunk to sort event columns

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI