Re: Order by and group by in splunk to sort event ...

swetar · ‎07-26-2018

2018/17/25 19:37:27 Field1="0" GROUP_ID="A" FIELD_TEXT="Select"
2018/17/25 10:30:17 Field1="0"GROUP_ID="B" FIELD_TEXT="name"
2018/17/25 06:9:00 Field1="2" GROUP_ID="A"FIELD_TEXT="from "
2018/17/25 00:00:00 Field1="4" GROUP_ID="B"FIELD_TEXT="table"
2018/17/25 00:00:00 Field1="4" GROUP_ID="A"FIELD_TEXT="table2"

Required o/p
GROUP_ID Field_TEXT
A SELECT from table2
B Name table

I wanted to display the FIELD_TEXT value order by Field1 and group by group id
CAn any one suggest me, how can I achieve this

jplumsdaine22 · ‎07-27-2018

Not 100% sure what you're after but Sstats and sort is all you should need.

... | stats values(FIELD_TEXT) AS FIELD_TEXT by GROUP_ID Field1
| sort Field1

This will give you something like this:

GROUP_ID Field1 FIELD_TEXT
A        0      Select
B        0      name
A        2      from
A        4      table2
B        4      table

If thats not what you need,

|  stats list(FIELD_TEXT) as FIELD_TEXT list(Field1) as Field1 by GROUP_ID

will give you something like this:

GROUP_ID    FIELD_TEXT      Field1
A           Select from table2  0 2 4
B            name table     0 4

If you're coming from a SQL back ground this document may help you adjust to Splunk: http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/SearchReference/SQLtoSplunk

Order by and group by in splunk to sort event columns

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Order by and group by in splunk to sort event columns

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES