Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My dashboard modifies the search command "sor"t and "fields"

clorne
Communicator
‎08-30-2016 06:13 AM

Hello,
I have a search rule that is perfectly working:
.... |
sort - 0 _time |
fields - _* |
fields data1 data 2 data3

I have created a dashboard and integrated the rule.
The result of the rule is wrong and I discovered that the string search had been modified:

"sort - 0 _time" => "sort-0 _time" and this command does not work; it does not sort time in the correct order
"fields - _*" gets " fields-*" which is not doing the same thing; it does not remove the fields beginning by _

I have done many tests and this is reproductible 100%.
Each time the generation of the dashboard xml code corrupt my search string and I can not create a working dashboard.

Any ideas are welcome

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3

View solution in original post

Reply
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thansk a lot

0 Karma
Reply
Solved! Jump to solution

jpolcari
Communicator
‎08-30-2016 06:18 AM

Check out the sort documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort

Give this a shot instead. This is the correct syntax:

sort 0 -_time
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...