Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My dashboard modifies the search command "sor"t and "fields"

clorne
Communicator
‎08-30-2016 06:13 AM

Hello,
I have a search rule that is perfectly working:
.... |
sort - 0 _time |
fields - _* |
fields data1 data 2 data3

I have created a dashboard and integrated the rule.
The result of the rule is wrong and I discovered that the string search had been modified:

"sort - 0 _time" => "sort-0 _time" and this command does not work; it does not sort time in the correct order
"fields - _*" gets " fields-*" which is not doing the same thing; it does not remove the fields beginning by _

I have done many tests and this is reproductible 100%.
Each time the generation of the dashboard xml code corrupt my search string and I can not create a working dashboard.

Any ideas are welcome

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3

View solution in original post

Reply
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thansk a lot

0 Karma
Reply
Solved! Jump to solution

jpolcari
Communicator
‎08-30-2016 06:18 AM

Check out the sort documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort

Give this a shot instead. This is the correct syntax:

sort 0 -_time
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...