Splunk Search

How to sort by a certain pattern of number occurring in a text?

Siva04
Engager

Hi, This is my first time starting a discussion. Please pardon my mistakes. So I am trying to perform a search where I can sort based  on a series of numbers occurring at the end of a text.

example:

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 456"

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 789"

index=abc sourcetype=xyz  Entity=HI* Text="*Rejected message received - code 345"

So I would like to sort count by the  3 digit code number. Is it possible to do it?

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

in this case, you have to extract the code field using a regex and use it for sorting, something like this:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text 
| sort code

Ciao.

Giuseppe

View solution in original post

0 Karma

Siva04
Engager

Hi,

I am trying to say that I want to sort it by the code that differs with every text. 

Text="*Rejected message received - code 456"

The * before the "Rejected message received " has a 6 digit number and when I do 
|stats count by Text 

it gives me the count based on the 6 digit number but instead I want it to give me count based on the code at the end of the Text. Since the code is not a field itself I am not able to do
|stats count by code

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

in this case, you have to extract the code field using a regex and use it for sorting, something like this:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| rex field=Text "code\s+(?<code>\d+)$"
| stats values(code) AS code count by Text 
| sort code

Ciao.

Giuseppe

0 Karma

Siva04
Engager

Thank you it worked

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Siva04,

sorry but your question isn't clear: if in a search you have one of the searches you shared all the values have the same Text, so it isn't possible to sort them.

Are the three searches in the same main search related by on "OR"?

If this is  your situation,. you can use the "sort" command:

index=abc sourcetype=xyz  Entity=HI* (Text="*Rejected message received - code 456" OR Text="*Rejected message received - code 789" OR Text="*Rejected message received - code 345")
| sort Text

as you san see at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...