Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I sort the split columns in this pivot?

tkwaller_2
Communicator
‎08-02-2018 09:08 AM

Hello

I have a dataset that I created along with a pivot table. the table has a split column called RR_Score which is an eval field in the dataset. This field evals a field called score and creates criticality as Critical, High, Medium, Low, Nominal and None. I want it sorted in that order specifically BUT I cannot do that, it only sorts alphabetically. I tried eval'ing a new field called
sortingSequence that does this:

case(RR_Score="Critical", 1, RR_Score="High", 2, RR_Score="Medium", 3, RR_Score="Low", 4, RR_Score="Nominal", 5, RR_Score="None", 6,1=1, 0)

However it doesn't sort in regular search nor in pivot, I don't want to display the field either. just want to order the RR_Score fields.

The search looks something like this:

| pivot RiskEvalData RiskEvalData count(info_name) AS "Count of Vendor" SPLITROW info_owner_subsidiary AS Subsidiary SPLITROW info_owner_deptTechnical AS "Technical Dept" SPLITROW info_owner_deptBusiness AS LOB SPLITCOL RR_Score SORT 1000 sortingSequence ROWSUMMARY 1 COLSUMMARY 1 NUMCOLS 100 SHOWOTHER 1

I have attached a screenshot of the pivot table.
alt text

Any thought how I can get the RR_Score fields sorted properly?
Thanks as always!

Preview file
115 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-02-2018 12:55 PM

You can try thi, If the values for field RR_Score are fixed and you always want all columns to be present.

| pivot RiskEvalData RiskEvalData count(info_name) AS "Count of Vendor" SPLITROW info_owner_subsidiary AS Subsidiary SPLITROW info_owner_deptTechnical AS "Technical Dept" SPLITROW info_owner_deptBusiness AS LOB SPLITCOL RR_Score SORT 1000 sortingSequence ROWSUMMARY 1 COLSUMMARY 1 NUMCOLS 100 SHOWOTHER 1
| table Subsidiary  "Technical Dept" LOB Critical High Medium Low Nominal None ALL

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-02-2018 12:55 PM

You can try thi, If the values for field RR_Score are fixed and you always want all columns to be present.

| pivot RiskEvalData RiskEvalData count(info_name) AS "Count of Vendor" SPLITROW info_owner_subsidiary AS Subsidiary SPLITROW info_owner_deptTechnical AS "Technical Dept" SPLITROW info_owner_deptBusiness AS LOB SPLITCOL RR_Score SORT 1000 sortingSequence ROWSUMMARY 1 COLSUMMARY 1 NUMCOLS 100 SHOWOTHER 1
| table Subsidiary  "Technical Dept" LOB Critical High Medium Low Nominal None ALL
Reply
Solved! Jump to solution

tkwaller_2
Communicator
‎08-02-2018 01:10 PM

For the win!

That was it. For some reason I didn't think about tabling again. Thanks again!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-02-2018 07:33 PM

@tkwaller_2 - if your issue has been solved, please accept the answer that solved it. Feel free to upvote any answers or comments that you found particularly helpful as well, on your own or other people's questions.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...