Re: Order by and group by in splunk to sort event ...

swetar · ‎07-26-2018

2018/17/25 19:37:27 Field1="0" GROUP_ID="A" FIELD_TEXT="Select"
2018/17/25 10:30:17 Field1="0"GROUP_ID="B" FIELD_TEXT="name"
2018/17/25 06:9:00 Field1="2" GROUP_ID="A"FIELD_TEXT="from "
2018/17/25 00:00:00 Field1="4" GROUP_ID="B"FIELD_TEXT="table"
2018/17/25 00:00:00 Field1="4" GROUP_ID="A"FIELD_TEXT="table2"

Required o/p
GROUP_ID Field_TEXT
A SELECT from table2
B Name table

I wanted to display the FIELD_TEXT value order by Field1 and group by group id
CAn any one suggest me, how can I achieve this

jplumsdaine22 · ‎07-27-2018

Not 100% sure what you're after but Sstats and sort is all you should need.

... | stats values(FIELD_TEXT) AS FIELD_TEXT by GROUP_ID Field1
| sort Field1

This will give you something like this:

GROUP_ID Field1 FIELD_TEXT
A        0      Select
B        0      name
A        2      from
A        4      table2
B        4      table

If thats not what you need,

|  stats list(FIELD_TEXT) as FIELD_TEXT list(Field1) as Field1 by GROUP_ID

will give you something like this:

GROUP_ID    FIELD_TEXT      Field1
A           Select from table2  0 2 4
B            name table     0 4

If you're coming from a SQL back ground this document may help you adjust to Splunk: http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/SearchReference/SQLtoSplunk

Order by and group by in splunk to sort event columns

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

Order by and group by in splunk to sort event columns

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant