Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort every 6 rows of a column in splunk?

maverick27
Explorer
‎03-27-2024 07:57 AM

Hello Splunk Experts,

Lets say i have a table that contains 2 columns as shown below:

NameS_no
aaa1
ccc3
bbb2
ddd4
eee5
fff6
ggg1
iii3
hhh2
jjj4
kkk5
lll6
mmm1
ooo3
nnn2
ppp4
qqq5
rrr6


Now, I need to sort every 6 rows of 's_no' column and populate the table. Something like this:

NameS_no
aaa1
bbb2
ccc3
ddd4
eee5
fff6
ggg1
hhh2
iii3
jjj4
kkk5
lll6
mmm1
nnn2
ooo3
ppp4
qqq5
rrr6


Could you please help me with the query? Much appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-27-2024 08:22 AM 
| streamstats count as row
| eval group=floor((row - 1) / 6)
| sort 0 group S_no
| fields - group row

View solution in original post

Reply
Solved! Jump to solution

maverick27
Explorer
‎04-03-2024 01:06 AM

Hello,

Thankyou @ITWhisperer @meetmshah for the quick revert and apologies for the delay in response. The solution indeed works. However, when I try to create a trellis layout (split by S_no), the graphs are displayed in the original order (1,3,2,4,5,6) and not how I want it to be i.e. 1,2,3,4,5,6. 

Is this a bug by any chance? 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-03-2024 02:11 AM

Sounds like a feature - trellis is probably sorting the display based on the first field

0 Karma
Reply
Solved! Jump to solution

meetmshah
SplunkTrust
SplunkTrust
‎04-03-2024 01:13 AM

Hello @maverick27 sort should work in that case right? ie. - 

| sort GroupNum S_no
0 Karma
Reply
Solved! Jump to solution

maverick27
Explorer
‎04-03-2024 01:27 AM

NO. It doesn't work in trellis layout even though the result is sorted. I am already using the following in the query:

sort 0 group S_no

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-27-2024 08:22 AM 
| streamstats count as row
| eval group=floor((row - 1) / 6)
| sort 0 group S_no
| fields - group row
Reply
Solved! Jump to solution

meetmshah
SplunkTrust
SplunkTrust
‎03-27-2024 08:21 AM

Done, Can you please below search in Splunk and confirm if this is something you want - 

| makeresults 
| eval data="aaa,1 ccc,3 bbb,2 ddd,4 eee,5 fff,6 ggg,1 iii,3 hhh,2 jjj,4 kkk,5 lll,6 mmm,1 ooo,3 nnn,2 ppp,4 qqq,5 rrr,6" 
| makemv data delim=" " 
| mvexpand data 
| rex field=data "(?<Name>\w+),(?<S_no>\d+)" 
| streamstats count as row_num 
| eval GroupNum = floor((row_num - 1) / 6) 
| sort GroupNum S_no 
| fields - _time data row_num GroupNum

Output - 

meetmshah_0-1711552853098.png

 

 

Please accept the solution and hit Karma, if this helps!

 

 

Reply
Solved! Jump to solution

meetmshah
SplunkTrust
SplunkTrust
‎03-29-2024 11:34 PM

Hello, Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...