Dashboards & Visualizations

how to sort a particular field , with a desired order.

vinod743374
Communicator

This is my Field with a Values inside,  

Data 
Passed 3rd  July
Passed 8th  July
Failed  3rd July
Failed 8th July
Total 3rd July
Total 8th July


Desired Order is 

Data 
Total 3rd July
Passed 3rd July
Failed 3rd July
Total 8th July
Passed 8th July
Failed 8th July


please help me out,
it would be appreciated.

Labels (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @vinod743374 

Can you try this,

| makeresults 
| eval data="Passed 3rd  July
,Passed 8th  July
,Failed  3rd July
,Failed 8th July
,Total 3rd July
,Total 8th July" 
| makemv delim="," data 
| mvexpand data 
| eval sort_field=case(like(data,"Total%"),1,like(data,"Passed%"),2, like(data,"Failed%"),3) 
| rex field=data "^\w+\s(?<date>.+?)$" 
| sort -date sort_field 
| stats list(data)

venkatasri_0-1626138858715.png

---

An upvote would be appreciated and Accept solution if this reply helps!

 

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

Hi @vinod743374 

Can you try this,

| makeresults 
| eval data="Passed 3rd  July
,Passed 8th  July
,Failed  3rd July
,Failed 8th July
,Total 3rd July
,Total 8th July" 
| makemv delim="," data 
| mvexpand data 
| eval sort_field=case(like(data,"Total%"),1,like(data,"Passed%"),2, like(data,"Failed%"),3) 
| rex field=data "^\w+\s(?<date>.+?)$" 
| sort -date sort_field 
| stats list(data)

venkatasri_0-1626138858715.png

---

An upvote would be appreciated and Accept solution if this reply helps!

 

vinod743374
Communicator

its works fine ,

i have a small doubt ,
if my Data has a different formats like below,

Data 

Passed 8th July 
Total Failed 8th July 
%Pass 8th July

is it possible with the rex ??, is there any alternative for such kind of data, 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @vinod743374  Yes it works you can match and extract any special character with rex, if you want to apply same solution as i described you have to update the rex.

---

If this reply helps It would be great if you could Accept original solution that would be useful to others.

0 Karma

vinod743374
Communicator

i tried it ,
you can see , if i tried to match the first , it disturbs the other data.

| makeresults
| eval data="Passed 3rd July
,Passed 8th July
,Total Failed 3rd July
,Total Failed 8th July
,Total 3rd July
,Total 8th July"
| makemv delim="," data
| mvexpand data
| eval sort_field=case(like(data,"Total%"),1,like(data,"Passed%"),2, like(data,"Failed%"),3)
| rex field=data "^\w+\s\w+\s(?<date>.+?)$"

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@vinod743374  What did you try to match i don't find a change in SPL.

0 Karma

vinod743374
Communicator

vinod743374_0-1626146127578.png

i tried to match Total Failed 3rd July , it extracts Perfectly , you can see  rest of the Results, 

0 Karma

vinod743374
Communicator

Thanks for your Help,

its working,
appreciate your patience. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...