Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort by a certain pattern of number occurring in a text?

Siva04
Engager
‎08-12-2022 08:22 AM

Hi, This is my first time starting a discussion. Please pardon my mistakes. So I am trying to perform a search where I can sort based  on a series of numbers occurring at the end of a text.

example:

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 456"

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 789"

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 345"

So I would like to sort count by the  3 digit code number. Is it possible to do it?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2022 10:18 AM

Hi @Siva04,

in this case, you have to extract the code field using a regex and use it for sorting, something like this:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text 
| sort code

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Siva04
Engager
‎08-12-2022 10:13 AM

Hi,

I am trying to say that I want to sort it by the code that differs with every text. 

Text="*Rejected message received - code 456"

The * before the "Rejected message received " has a 6 digit number and when I do 
|stats count by Text 

it gives me the count based on the 6 digit number but instead I want it to give me count based on the code at the end of the Text. Since the code is not a field itself I am not able to do
|stats count by code

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2022 10:18 AM

Hi @Siva04,

in this case, you have to extract the code field using a regex and use it for sorting, something like this:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text 
| sort code

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Siva04
Engager
‎08-16-2022 09:33 AM

Thank you it worked

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-17-2022 12:16 AM

Hi @Siva04,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2022 08:36 AM

Hi @Siva04,

sorry but your question isn't clear: if in a search you have one of the searches you shared all the values have the same Text, so it isn't possible to sort them.

Are the three searches in the same main search related by on "OR"?

If this is  your situation,. you can use the "sort" command:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| sort Text

as you san see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...