Splunk Search

Modify sort's behavior?

bojanz
Communicator

I have data that is using a different charset.

When displaying this data in a simple table, Splunk parses it as string and applies same rules when sorting it, by bytes.

This causes the text to be sorted like this:

A, B, C .... X, Y, Z, local_char_1, local_char_2 etc.

That's correct when just checking bytes (unicode), however our alphabet is different. Is it possible to modify the sort command's behavior so it sorts text like this:

A, B, C, local_char_1, D, E ....

Tags (1)

bojanz
Communicator

The issue is that I want to allow the user to sort as he/she wants in the interface, by any column that is displayed in the table. I can maybe use a hidden variable that is populated by my external script but that will work for first display only, as far as I understand.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

To use a fancy word, you're wanting to change the "collating sequence" for sort. As far as I know this is not possible directly out of the box. This type of internationalization support could make a good enhancement request. There's a chance that the collating sequence is governed by the language settings in Splunk, but I've not tested.

In a worst case, you could implement your own sort algorithm using a custom search command. Then you are free to define whatever collating sequence you require.

0 Karma

bojanz
Communicator

Thanks - does that mean I just create a new command and use it like this:

old search | mysearch

How will this work when the user clicks on the sort button in the table? Generally I have problems only with text fields (due to the character set, obviously), with numbers it (of course) works ok.

0 Karma

araitz
Splunk Employee
Splunk Employee

Can you use the fields command after table to mandate the order of the fields?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...