Splunk Search

How to sort instance name alphanumeric not lexicographically?

myazdzik
Loves-to-Learn

Hi all, 

I was wondering if someone could help with a sort ordering issue I have. I am looking for a way to sort instance names of my computers  alphanumerically where I can sort the list like:

a100pc1

a100pc2

a100pc3

a100pc10

a100pc20

instead of lexicographically like:

  a100pc1

 a100pc10

 a100pc2

 a100pc20

 a100pc3

Labels (1)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As you have already realised, you need to split up the name into its constituent parts so that they can be sorted appropriately. For this, you need to be able to define your naming scheme (as @isoutamo has already hinted). You have already said that you tried (and failed) to do this with rex. Perhaps, this should be your question i.e. you define your naming scheme, and we can help you come up with a rex expression to extract the constituent parts.

0 Karma

venky1544
Contributor

Hi @myazdzik 

try the below 

|makeresults |eval new="a100pc1"
|append [|makeresults |eval new="a100pc10" ]
|append [|makeresults |eval new="a100pc2" ]
|append [|makeresults |eval new="a100pc20" ]
|append [|makeresults |eval new="a100pc3" ]|fields - _time | rex field=new "a100pc(?<_new>\d+)"| sort _new

0 Karma

myazdzik
Loves-to-Learn

Hi Venky1544,

sorry i should have included that my instance names are dynamic and can change names at any given time and possible to be over 75 instances. and the "pc" portion can be different as well where it could be a100srdb1 or a100srfs2. with the make results, it looks like I would need to manually create an entry for each instance name and adjust the search each time a new instance is added, is that a correct statement? what i would like to achieve is perform an alphabet sort after the a100 then identify the numeric numbering and sort by that dynamically. i tried different rex field statements but the first alphanumeric keys keep screwing me up on results

0 Karma

venky1544
Contributor

Hey @myazdzik 

makresult was just to create the sample dataset as you dont need to use that but as @isoutamo said you probably have to work on the naming convention of the servers 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You probably have some naming schema for hosts like a100<dep/something non numeral><sequence number>? Or can the prefix be something else that a100?
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...