Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sort the column names alphabetically at the end of the search?

HattrickNZ
Motivator
‎03-11-2019 06:00 PM

This is my sample search: 

| makeresults 
     | eval data = "
1-Sep    657 34 35;
2-Sep    434 34 35;
    " 
     | makemv delim=";" data
     | mvexpand data
     | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
     | fields + Date kpi1 kpi2 kpi3 | fields - _time
     | search kpi1 = * 
     |rename kpi1 as  "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
     | rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
     | rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
     | <command(s) goes here>

This gives me the columns in the following order - left to right

1/

Date    
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times  
Incoming Calls in Mobile Office Directions - Common Resources Application Failures  
Incoming Calls in Mobile Office Directions - Assignment Failures

Is there a command that I can add on that will sort these alphabetically to give me
2/

Date    
Incoming Calls in Mobile Office Directions - Assignment Failures
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times
Incoming Calls in Mobile Office Directions - Common Resources Application Failures

I know I can reorder the kpis in this part of the search
| fields + Date kpi1 kpi2 kpi3 |
But my question is more about after that and putting a specific command or commands to sort it alphabetically as 2/ above.
| <command(s) goes here>

Tags (3)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 06:06 PM

You can use * with table and it will do it in ascii order:

e.g. |table * (but this might have fields you need to remove with |fields -)

or |table Date Inc*

All the best

Reply

niketn
Legend
‎03-11-2019 06:42 PM

@chrisyoungerjds rather than using table a fields can be used directly, the same is anyways there in the current query:

| makeresults 
| eval data = "
 1-Sep    657 34 35;
 2-Sep    434 34 35;
     " 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)" 
| fields - _time 
| search kpi1 = * 
| rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
| rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
| rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
| fields + Date "Incoming Calls in Mobile Office Directions - *"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 07:01 PM

Yes you are absolutly right. Better to use fields over table

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...