Splunk Search

Can if function be used with sort?


I am working on a dashboard that has a radio button that can change a search between the two of the following

| stats count by fieldA 


| stats dc(fieldA)

At the end of this search I would like to have a sort based on whether or not count or distinct count is being used.

sort - count


sort - distinct_count

Is this something that I can accomplish using the if function? The following is a non functional example of what I would like to do something like.

if(count==disctinct_count, sort - distinct_count, sort - count)

Thank you for any insight you might have.

0 Karma

| eval sort_field = if(count==disctinct_count, distinct_count, count)
| sort -sort_field

You can try this.
Hope this helps, Thanks!

0 Karma


No, there is no way to do this that I'm familiar with.

Could you just try changing one of the stats functions to rename the field? E.g. change:

| stats dc(fieldA)


| stats dc(fieldA) as count

then, keep the normal sort

| sort - count


If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.