Splunk Search

How to sort a statistics based on 2 columns

prerana_jain
Explorer

I have written a command to get the timings of particular log from different servers. I want to sort it based on host and source. I have used multisearch, stats values(xx) by date,time,host,source command.

Example:
Date Time host source
2/20 2:13 110 /opt/source.log
2/20 2:15 117 /opt/dest.log
2/20 2:20 116 /opt/so.log

Expected result:
Sort the statistics with column host and source..

I tried to use case command but not working

0 Karma

to4kawa
Ultra Champion
<form>
  <label>select sort</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="sort1" searchWhenChanged="true">
      <label>first sort</label>
      <choice value="host">host</choice>
      <choice value="source">source</choice>
      <choice value="Time">Time</choice>
      <choice value="Date">Date</choice>
      <default>host</default>
      <initialValue>host</initialValue>
    </input>
    <input type="dropdown" token="sort2" searchWhenChanged="true">
      <label>second sort</label>
      <choice value="host">host</choice>
      <choice value="source">source</choice>
      <choice value="Time">Time</choice>
      <choice value="Date">Date</choice>
      <default>source</default>
      <initialValue>source</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults
|eval _raw="Date Time host source
2/20 2:13 110 /opt/source.log
2/20 2:15 117 /opt/dest.log
2/20 2:20 116 /opt/so.log
2/20 2:13 110 /opt/dest.log
2/20 2:15 117 /opt/source.log"
|multikv forceheader=1
|table Date Time host source
| sort $sort1$ $sort2$</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

I'm not sure I want to write case telling which host, source has to be first . Which needs to be second

Do you want to create dashboard like above.

your_search
| sort 0 host source

sort is wrong?

0 Karma

prerana_jain
Explorer

The above command is sorting in the ascending order. But I want sort with my requirements.

Ex:
Date Time host source
2/20 2:13 110 /opt/source.log
2/20 2:15 117 /opt/dest.log
2/20 2:20 116 /opt/so.log
2/20 2:13 110 /opt/dest.log
2/20 2:15 117 /opt/source.log

Expected:
Date Time host source
2/20 2:13 110 /opt/dest.log
2/20 2:15 117 /opt/source.log
2/20 2:13 110 /opt/source.log
2/20 2:15 117 /opt/dest.log
2/20 2:20 116 /opt/so.log

I want to write case telling which host, source has to be first . Which needs to be second

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...