Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alphabetically sorting a MVfield

rvsroe
Explorer
‎06-19-2020 05:43 AM

Hi All,

I'm trying to combine a number of fields using:

| stats values(task_name) as task_name by idnumber


This works great when it comes to timestamps associated with the idnumber, but for
the tasks associated with it, splunk sorts it alphabetically.

This leads to problems down the line when we try to see which task was executed first.

Part of the problem is that the number of timestamps can differ from the number of tasks
so to make a new field with timestamp and task combined does not work.

#original data:
sysmodtime,task_name,idnumber
05/01/20 12:00 PM,one,1
05/01/20 12:01 AM,two,1
05/01/20 12:02 AM,two,1
05/01/20 12:02 AM,two,1
05/02/20 12:00 PM,one,2
04/02/20 12:00 AM,one,2
04/02/20 01:00 AM,one,2
04/02/20 02:00 AM,one,3
05/04/20 12:00 PM,one,4
05/03/20 12:00 PM,two,4
05/03/20 12:01 PM,three,4
05/03/20 12:02 PM,four,4
05/03/20 12:40 PM,five,4
05/03/20 12:50 PM,six,4


#the conflicting results after stats command (see attachment)

Any advice would be welcome
Cheers,
Roelof

Preview file
110 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2020 07:20 AM

It's not clear what results you want.  Can you provide a mockup of the desired output?

Have you tried putting both columns in the stats command?

| stats values(*) as * by idnumber
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rvsroe
Explorer
‎06-22-2020 01:45 AM

Hi Richgalloway, thanks for the reply, the atachment in the main question shows the erroneous results, with the tasks sorted alphabetically instead of matched with the timestamp, so for example for id number 1 there are 6 tasks and 6 time stamps,  the stats command (placing both columns inside stats) gives:

sysmodtime, task_name, idnumber
05/04/20 12:00 PM, five, 4
05/03/20 12:00 PM, four,
05/03/20 12:01 PM, one,
05/03/20 12:02 PM, six.
05/03/20 12:40 PM, three,
05/03/20 12:50 PM, two,

whereas the order should be simply; one, two, three, four, five, six

Solutions that make a new field using sysmodtime and task_name fail since number of tasks
and number of sysmodtime are not equal in all cases.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...