Can if function be used with sort?

kamryn · ‎07-29-2019

I am working on a dashboard that has a radio button that can change a search between the two of the following

| stats count by fieldA

or

| stats dc(fieldA)

At the end of this search I would like to have a sort based on whether or not count or distinct count is being used.

sort - count

or

sort - distinct_count

Is this something that I can accomplish using the if function? The following is a non functional example of what I would like to do something like.

if(count==disctinct_count, sort - distinct_count, sort - count)

Thank you for any insight you might have.

sandeepmakkena · ‎10-16-2019

| eval sort_field = if(count==disctinct_count, distinct_count, count)
| sort -sort_field

You can try this.
Hope this helps, Thanks!

jacobpevans · ‎07-29-2019

No, there is no way to do this that I'm familiar with.

Could you just try changing one of the stats functions to rename the field? E.g. change:

| stats dc(fieldA)

to

| stats dc(fieldA) as count

then, keep the normal sort

| sort - count

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Can if function be used with sort?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Can if function be used with sort?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...