Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to sort the column names alphabetically at the end of the search?

HattrickNZ
Motivator
‎03-11-2019 06:00 PM

This is my sample search: 

| makeresults 
     | eval data = "
1-Sep    657 34 35;
2-Sep    434 34 35;
    " 
     | makemv delim=";" data
     | mvexpand data
     | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
     | fields + Date kpi1 kpi2 kpi3 | fields - _time
     | search kpi1 = * 
     |rename kpi1 as  "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
     | rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
     | rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
     | <command(s) goes here>

This gives me the columns in the following order - left to right

1/

Date    
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times  
Incoming Calls in Mobile Office Directions - Common Resources Application Failures  
Incoming Calls in Mobile Office Directions - Assignment Failures

Is there a command that I can add on that will sort these alphabetically to give me
2/

Date    
Incoming Calls in Mobile Office Directions - Assignment Failures
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times
Incoming Calls in Mobile Office Directions - Common Resources Application Failures

I know I can reorder the kpis in this part of the search
| fields + Date kpi1 kpi2 kpi3 |
But my question is more about after that and putting a specific command or commands to sort it alphabetically as 2/ above.
| <command(s) goes here>

Tags (3)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 06:06 PM

You can use * with table and it will do it in ascii order:

e.g. |table * (but this might have fields you need to remove with |fields -)

or |table Date Inc*

All the best

Reply

niketn
Legend
‎03-11-2019 06:42 PM

@chrisyoungerjds rather than using table a fields can be used directly, the same is anyways there in the current query:

| makeresults 
| eval data = "
 1-Sep    657 34 35;
 2-Sep    434 34 35;
     " 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)" 
| fields - _time 
| search kpi1 = * 
| rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
| rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
| rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
| fields + Date "Incoming Calls in Mobile Office Directions - *"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 07:01 PM

Yes you are absolutly right. Better to use fields over table

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...