Splunk Search

How to position a value in table in the last column?

vvemula
Path Finder

I have result like this, 

parametercompliancenon-compliance
64bit4322
Bios2441
Error065
Inter641
OS614

 

And I want Error to be displayed in the last column, Like below:

parametercompliancenon-compliance
64bit4322
Bios2441
Inter641
OS614
Error065

 

is it something possible in Splunk without CSS or JS. 

Labels (1)
0 Karma

vvemula
Path Finder

@gcusello  Thanks for the help. But its not working. 

--> As per your search, after modify the Error to "zzz_Error", Its coming in the last row. But once I use eval to change from "zzz_Error" to Error. Its going back to the original position again. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vvemula,

did you respected the order of commands: eval, chart, eval?

in my Splunk it runs:

gcusello_0-1605599170246.png

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vvemula,

you have to temporary modify Error value to be sure that it's the last one and, at the end, restore the original value, something like this:

your_search
| eval parameter=if(parameter="Error","ZZZZ_Error",parameter)
| chart count over status BY parameter
| eval parameter=if(parameter="ZZZZ_Error","Error",parameter)

Ciao.

Giuseppe 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...