Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alphabetically sorting a MVfield

rvsroe
Explorer
‎06-19-2020 05:43 AM

Hi All,

I'm trying to combine a number of fields using:

| stats values(task_name) as task_name by idnumber


This works great when it comes to timestamps associated with the idnumber, but for
the tasks associated with it, splunk sorts it alphabetically.

This leads to problems down the line when we try to see which task was executed first.

Part of the problem is that the number of timestamps can differ from the number of tasks
so to make a new field with timestamp and task combined does not work.

#original data:
sysmodtime,task_name,idnumber
05/01/20 12:00 PM,one,1
05/01/20 12:01 AM,two,1
05/01/20 12:02 AM,two,1
05/01/20 12:02 AM,two,1
05/02/20 12:00 PM,one,2
04/02/20 12:00 AM,one,2
04/02/20 01:00 AM,one,2
04/02/20 02:00 AM,one,3
05/04/20 12:00 PM,one,4
05/03/20 12:00 PM,two,4
05/03/20 12:01 PM,three,4
05/03/20 12:02 PM,four,4
05/03/20 12:40 PM,five,4
05/03/20 12:50 PM,six,4


#the conflicting results after stats command (see attachment)

Any advice would be welcome
Cheers,
Roelof

Preview file
110 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2020 07:20 AM

It's not clear what results you want.  Can you provide a mockup of the desired output?

Have you tried putting both columns in the stats command?

| stats values(*) as * by idnumber
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rvsroe
Explorer
‎06-22-2020 01:45 AM

Hi Richgalloway, thanks for the reply, the atachment in the main question shows the erroneous results, with the tasks sorted alphabetically instead of matched with the timestamp, so for example for id number 1 there are 6 tasks and 6 time stamps,  the stats command (placing both columns inside stats) gives:

sysmodtime, task_name, idnumber
05/04/20 12:00 PM, five, 4
05/03/20 12:00 PM, four,
05/03/20 12:01 PM, one,
05/03/20 12:02 PM, six.
05/03/20 12:40 PM, three,
05/03/20 12:50 PM, two,

whereas the order should be simply; one, two, three, four, five, six

Solutions that make a new field using sysmodtime and task_name fail since number of tasks
and number of sysmodtime are not equal in all cases.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...