- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, This is my first time starting a discussion. Please pardon my mistakes. So I am trying to perform a search where I can sort based on a series of numbers occurring at the end of a text.
example:
index=abc sourcetype=xyz Entity=HI* Text="*Rejected message received - code 456"
index=abc sourcetype=xyz Entity=HI* Text="*Rejected message received - code 789"
index=abc sourcetype=xyz Entity=HI* Text="*Rejected message received - code 345"
So I would like to sort count by the 3 digit code number. Is it possible to do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Siva04,
in this case, you have to extract the code field using a regex and use it for sorting, something like this:
index=abc sourcetype=xyz Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text
| sort codeCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to say that I want to sort it by the code that differs with every text.
Text="*Rejected message received - code 456"
The * before the "Rejected message received " has a 6 digit number and when I do
|stats count by Text
it gives me the count based on the 6 digit number but instead I want it to give me count based on the code at the end of the Text. Since the code is not a field itself I am not able to do
|stats count by code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Siva04,
in this case, you have to extract the code field using a regex and use it for sorting, something like this:
index=abc sourcetype=xyz Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text
| sort codeCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Siva04,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Siva04,
sorry but your question isn't clear: if in a search you have one of the searches you shared all the values have the same Text, so it isn't possible to sort them.
Are the three searches in the same main search related by on "OR"?
If this is your situation,. you can use the "sort" command:
index=abc sourcetype=xyz Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| sort Textas you san see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
Ciao.
Giuseppe
