Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sort instance name alphanumeric not lexicographically?

myazdzik
Loves-to-Learn
‎03-15-2022 08:42 AM

Hi all, 

I was wondering if someone could help with a sort ordering issue I have. I am looking for a way to sort instance names of my computers  alphanumerically where I can sort the list like:

a100pc1

a100pc2

a100pc3

a100pc10

a100pc20

instead of lexicographically like:

  a100pc1

 a100pc10

 a100pc2

 a100pc20

 a100pc3

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-16-2022 01:28 AM

As you have already realised, you need to split up the name into its constituent parts so that they can be sorted appropriately. For this, you need to be able to define your naming scheme (as @isoutamo has already hinted). You have already said that you tried (and failed) to do this with rex. Perhaps, this should be your question i.e. you define your naming scheme, and we can help you come up with a rex expression to extract the constituent parts.

0 Karma
Reply

venky1544
Builder
‎03-15-2022 09:36 AM

Hi @myazdzik 

try the below 

|makeresults |eval new="a100pc1"
|append [|makeresults |eval new="a100pc10" ]
|append [|makeresults |eval new="a100pc2" ]
|append [|makeresults |eval new="a100pc20" ]
|append [|makeresults |eval new="a100pc3" ]|fields - _time | rex field=new "a100pc(?<_new>\d+)"| sort _new

0 Karma
Reply

myazdzik
Loves-to-Learn
‎03-15-2022 10:50 AM

Hi Venky1544,

sorry i should have included that my instance names are dynamic and can change names at any given time and possible to be over 75 instances. and the "pc" portion can be different as well where it could be a100srdb1 or a100srfs2. with the make results, it looks like I would need to manually create an entry for each instance name and adjust the search each time a new instance is added, is that a correct statement? what i would like to achieve is perform an alphabet sort after the a100 then identify the numeric numbering and sort by that dynamically. i tried different rex field statements but the first alphanumeric keys keep screwing me up on results

0 Karma
Reply

venky1544
Builder
‎03-16-2022 02:52 AM

Hey @myazdzik 

makresult was just to create the sample dataset as you dont need to use that but as @isoutamo said you probably have to work on the naming convention of the servers 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-16-2022 01:14 AM
You probably have some naming schema for hosts like a100<dep/something non numeral><sequence number>? Or can the prefix be something else that a100?
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...