Order by and group by in splunk to sort event colu...

swetar · ‎07-26-2018

2018/17/25 19:37:27 Field1="0" GROUP_ID="A" FIELD_TEXT="Select"
2018/17/25 10:30:17 Field1="0"GROUP_ID="B" FIELD_TEXT="name"
2018/17/25 06:9:00 Field1="2" GROUP_ID="A"FIELD_TEXT="from "
2018/17/25 00:00:00 Field1="4" GROUP_ID="B"FIELD_TEXT="table"
2018/17/25 00:00:00 Field1="4" GROUP_ID="A"FIELD_TEXT="table2"

Required o/p
GROUP_ID Field_TEXT
A SELECT from table2
B Name table

I wanted to display the FIELD_TEXT value order by Field1 and group by group id
CAn any one suggest me, how can I achieve this

jplumsdaine22 · ‎07-27-2018

Not 100% sure what you're after but Sstats and sort is all you should need.

... | stats values(FIELD_TEXT) AS FIELD_TEXT by GROUP_ID Field1
| sort Field1

This will give you something like this:

GROUP_ID Field1 FIELD_TEXT
A        0      Select
B        0      name
A        2      from
A        4      table2
B        4      table

If thats not what you need,

|  stats list(FIELD_TEXT) as FIELD_TEXT list(Field1) as Field1 by GROUP_ID

will give you something like this:

GROUP_ID    FIELD_TEXT      Field1
A           Select from table2  0 2 4
B            name table     0 4

If you're coming from a SQL back ground this document may help you adjust to Splunk: http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/SearchReference/SQLtoSplunk

Order by and group by in splunk to sort event columns

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?

Order by and group by in splunk to sort event columns

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025