Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to sort eval-ed field by one of its parent fields?

Dworsnop
Path Finder
‎11-08-2022 02:58 AM

Hi all, I need some help sorting an eval field by one of it's components per below.

...

 

| eventstats count(ID) AS countID by severity, name
| eval name_count=name." (".countID.")"
| stats values(name_count) AS Signatures count by severity

 

This gives me something like...

severity       Signatures
Critical        asig0 (34)
                       bsig1 (2)
                       csig2 (76)
High             asig3 (1)
                      bsig4 (23)
                      csig5 (22)

What I want...

severity      Signatures
Critical        csig2 (76)
                       asig0 (34)
                       bsig1 (2)
High              bsig4 (23)
                       csig5 (22)
                       asig3 (1)

Is there any way I can sort the Signatures column by the values in the countID field?

Thanks in advance! 🙂

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2022 02:50 AM

Hi @Dworsnop,

ok good for you, only one detail: if you filter by severity, you don't need severity as key in the stats command.

Anyway, if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated;-)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 03:03 AM

Hi @Dworsnop,

please try this:

| eventstats count(ID) AS countID by severity, name
| eval name_count=name." (".countID.")"
| stats values(name_count) AS Signatures count by severity
| rex field=Signatures "\((?<countID>\d+)"
| sort severity -countID
| fields - countID

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎11-08-2022 05:06 AM

Thanks for the pointers @gcusello . I've used what you've provided and I can extract the 'countID' value but when I try to sort by it all it does is sort the severity column and doesn't appear to do anything with the Signatures one.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 06:04 AM

Hi @Dworsnop,

did you tried to sort by severity and countID desc, as I hinted?

could you share your search and the result you have?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎11-08-2022 08:40 AM

Hi @gcusello , here's my full search...

... severity IN ("Critical", "High", "Medium")
| eventstats count(ID) AS countID by severity, Name
| eval name_count=Name." (".countID.")"
| stats values(name_count) AS Signatures by severity
| rex field=Signatures "\((?<countID>\d+)\)$"
| sort severity, -countID
| fields - countID

 

Unfortunately, due to the nature of the information, I can't share the results but I can tell you that the order of the Signatures column hasn't changed. I've even kept the countID column in and the numbers aren't sorted. I've tried "| sort severity, -num(countID)" as well but it does nothing.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 11:39 PM

Hi @Dworsnop,

it isn't possible to have the exact solution that you would,

as a workaround you could have the severity vaue repeated in each row:

... severity IN ("Critical", "High", "Medium")
| eventstats count(ID) AS countID by severity, Name
| eval name_count=Name." (".countID.")"
| stats values(name_count) AS Signatures by severity
| mvexpand Signatures
| rex field=Signatures "\((?<countID>\d+)\)$"
| sort severity, -countID
| fields - countID

or changing the order in the Signature field:

... severity IN ("Critical", "High", "Medium")
| eventstats count(ID) AS countID by severity, Name
| eval name_count="(".countID.") ".Name
| stats values(name_count) AS Signatures by severity
| rex field=Signatures "^(?<countID>\d+)"
| sort severity, -countID
| fields - countID

but in this case it's literaly ordinated, so 100 comes before 20.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Dworsnop
Path Finder
‎11-09-2022 02:35 AM

Hi @gcusello .

Thanks very much for the help, in the end I went with...

... severity="Critical"  

| eventstats count(ID) AS countID by severity, Name  

| eval name_count=Name." (".countID.")"  

| rex field=name_count "\((?<newcountID>\d+)\)$" 

| stats count by name_count, newcountID 

| sort – newcountID 

| fields - newcountID, count 

| rename name_count AS "Signatures (count)" 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2022 02:50 AM

Hi @Dworsnop,

ok good for you, only one detail: if you filter by severity, you don't need severity as key in the stats command.

Anyway, if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated;-)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2022 03:40 AM

Hi @Dworsnop,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...