Re: Order by and group by in splunk to sort event ...

swetar · ‎07-26-2018

2018/17/25 19:37:27 Field1="0" GROUP_ID="A" FIELD_TEXT="Select"
2018/17/25 10:30:17 Field1="0"GROUP_ID="B" FIELD_TEXT="name"
2018/17/25 06:9:00 Field1="2" GROUP_ID="A"FIELD_TEXT="from "
2018/17/25 00:00:00 Field1="4" GROUP_ID="B"FIELD_TEXT="table"
2018/17/25 00:00:00 Field1="4" GROUP_ID="A"FIELD_TEXT="table2"

Required o/p
GROUP_ID Field_TEXT
A SELECT from table2
B Name table

I wanted to display the FIELD_TEXT value order by Field1 and group by group id
CAn any one suggest me, how can I achieve this

jplumsdaine22 · ‎07-27-2018

Not 100% sure what you're after but Sstats and sort is all you should need.

... | stats values(FIELD_TEXT) AS FIELD_TEXT by GROUP_ID Field1
| sort Field1

This will give you something like this:

GROUP_ID Field1 FIELD_TEXT
A        0      Select
B        0      name
A        2      from
A        4      table2
B        4      table

If thats not what you need,

|  stats list(FIELD_TEXT) as FIELD_TEXT list(Field1) as Field1 by GROUP_ID

will give you something like this:

GROUP_ID    FIELD_TEXT      Field1
A           Select from table2  0 2 4
B            name table     0 4

If you're coming from a SQL back ground this document may help you adjust to Splunk: http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/SearchReference/SQLtoSplunk

Order by and group by in splunk to sort event columns

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Order by and group by in splunk to sort event columns

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem