Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My dashboard modifies the search command "sor"t and "fields"

clorne
Communicator
‎08-30-2016 06:13 AM

Hello,
I have a search rule that is perfectly working:
.... |
sort - 0 _time |
fields - _* |
fields data1 data 2 data3

I have created a dashboard and integrated the rule.
The result of the rule is wrong and I discovered that the string search had been modified:

"sort - 0 _time" => "sort-0 _time" and this command does not work; it does not sort time in the correct order
"fields - _*" gets " fields-*" which is not doing the same thing; it does not remove the fields beginning by _

I have done many tests and this is reproductible 100%.
Each time the generation of the dashboard xml code corrupt my search string and I can not create a working dashboard.

Any ideas are welcome

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3

View solution in original post

Reply
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thansk a lot

0 Karma
Reply
Solved! Jump to solution

jpolcari
Communicator
‎08-30-2016 06:18 AM

Check out the sort documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort

Give this a shot instead. This is the correct syntax:

sort 0 -_time
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...