Re: Is there a function that randomly shuffles res...

davidch12 · ‎04-01-2019

Similar to sort, except I'm looking for a function to randomly shuffle the results. This achieves the same result as the Linux shuf command.

kelstahl8705 · ‎07-23-2024

I have to look up this command every few months because I can never remember it... Are you talking about the 'scrub' command? Turns your search results from

email= [email protected] > email= [email protected] or possibly to >
email= [email protected]

It keeps the data in the same format just jumbles everything up?

https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/SearchReference/Scrub
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Scrub

woodcock · ‎04-01-2019

Like this:

 ... | eval _random=random()
 | sort 0 _random

Or this:

 ... | eval _random=md5(_raw)
 | sort 0 _random

davidch12 · ‎04-01-2019

Looks like the "0" argument to sort ensures all results are returned, even if the number is greater than 10,000:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Sort

Is my interpretation correct?

woodcock · ‎04-01-2019

Yes, this is very important; never run sort without a number.

martinpu · ‎04-01-2019

Hi,

how about something like this?

index=yourIndex
| eval randomValue=random()
| sort randomValue
| table _time _raw randomValue

Is there a function that randomly shuffles results?