Splunk Search

Can if function be used with sort?

kamryn
Explorer

I am working on a dashboard that has a radio button that can change a search between the two of the following

| stats count by fieldA 

or

| stats dc(fieldA)

At the end of this search I would like to have a sort based on whether or not count or distinct count is being used.

sort - count

or

sort - distinct_count

Is this something that I can accomplish using the if function? The following is a non functional example of what I would like to do something like.

if(count==disctinct_count, sort - distinct_count, sort - count)

Thank you for any insight you might have.

0 Karma

sandeepmakkena
Contributor
| eval sort_field = if(count==disctinct_count, distinct_count, count)
| sort -sort_field

You can try this.
Hope this helps, Thanks!

0 Karma

jacobpevans
Motivator

No, there is no way to do this that I'm familiar with.

Could you just try changing one of the stats functions to rename the field? E.g. change:

| stats dc(fieldA)

to

| stats dc(fieldA) as count

then, keep the normal sort

| sort - count

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...