Splunk Search

Are values() returned by Splunk in a search sorted alphabetically?

morethanyell
Builder

I couldn't find any documentation except that values(), when used in transforming commands, performs dedup. But there's no official documentation saying that the result is returned or sorted alphabetically.

Thanks in advance.

Tags (1)
0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust
index=main 
 | stats values(sourcetype) as ST

updated well, yes, i ran this one and "yes, values() returns the result alphabetically"

when used in transforming commands "performs dedup"
do you have any confusion regarding the dedup?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

inventsekar
SplunkTrust
SplunkTrust
index=main 
 | stats values(sourcetype) as ST

updated well, yes, i ran this one and "yes, values() returns the result alphabetically"

when used in transforming commands "performs dedup"
do you have any confusion regarding the dedup?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

morethanyell
Builder

No confusion at all because I complete understand that values() performs a dedup unlike list() which does not. Thanks anyway.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

ya, the list() will just list the values.. and for values(), the splunk creators liked alphabetical order it-seems.
maybe, you can accept this as the answer, so that this question will be moved to answered posts. thanks.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

morethanyell
Builder

I can't accept this answer. But if you change your answer to "yes, values() returns the result alphabetically" then I will accept it as correct answer. I hope you understand my part. I don't want to accept an answer with "maybe, that is a good idea, i feel." Thank you very much.

inventsekar
SplunkTrust
SplunkTrust

haha, done!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

inventsekar
SplunkTrust
SplunkTrust

when used in transforming commands performs dedup.//
Can you pls post your search query?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

morethanyell
Builder
index=ourindex sourcetype=asourcetype
| stats values(Status) as Status by Category
| eval Status = mvjoin(Status, " ")

Result:

Category   Status
Cat1           Blocked Completed In Progress
Cat 2          Completed Not Started
Cat 3          Blocked In Progress Not Started
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...