Splunk Search

How to sort by a certain pattern of number occurring in a text?

Siva04
Engager

Hi, This is my first time starting a discussion. Please pardon my mistakes. So I am trying to perform a search where I can sort based  on a series of numbers occurring at the end of a text.

example:

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 456"

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 789"

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 345"

So I would like to sort count by the  3 digit code number. Is it possible to do it?

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

in this case, you have to extract the code field using a regex and use it for sorting, something like this:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text 
| sort code

Ciao.

Giuseppe

View solution in original post

0 Karma

Siva04
Engager

Hi,

I am trying to say that I want to sort it by the code that differs with every text. 

Text="*Rejected message received - code 456"

The * before the "Rejected message received " has a 6 digit number and when I do 
|stats count by Text 

it gives me the count based on the 6 digit number but instead I want it to give me count based on the code at the end of the Text. Since the code is not a field itself I am not able to do
|stats count by code

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

in this case, you have to extract the code field using a regex and use it for sorting, something like this:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text 
| sort code

Ciao.

Giuseppe

0 Karma

Siva04
Engager

Thank you it worked

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

sorry but your question isn't clear: if in a search you have one of the searches you shared all the values have the same Text, so it isn't possible to sort them.

Are the three searches in the same main search related by on "OR"?

If this is  your situation,. you can use the "sort" command:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| sort Text

as you san see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...