Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- My dashboard modifies the search command "sor"t an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
clorne
Communicator
08-30-2016
06:13 AM
Hello,
I have a search rule that is perfectly working:
.... |
sort - 0 _time |
fields - _* |
fields data1 data 2 data3
I have created a dashboard and integrated the rule.
The result of the rule is wrong and I discovered that the string search had been modified:
"sort - 0 _time" => "sort-0 _time" and this command does not work; it does not sort time in the correct order
"fields - _*" gets " fields-*" which is not doing the same thing; it does not remove the fields beginning by _
I have done many tests and this is reproductible 100%.
Each time the generation of the dashboard xml code corrupt my search string and I can not create a working dashboard.
Any ideas are welcome
Regards
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
justinatpnnl
Communicator
08-30-2016
06:28 AM
I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:
sort 0 -_time
I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:
fields - _*
If your intended result was to end up with only the three fields at the end, you should be able to do this:
.... |
sort 0 -_time |
table data1 data2 data3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
justinatpnnl
Communicator
08-30-2016
06:28 AM
I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:
sort 0 -_time
I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:
fields - _*
If your intended result was to end up with only the three fields at the end, you should be able to do this:
.... |
sort 0 -_time |
table data1 data2 data3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
clorne
Communicator
08-30-2016
08:14 AM
Thansk a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpolcari
Communicator
08-30-2016
06:18 AM
Check out the sort documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort
Give this a shot instead. This is the correct syntax:
sort 0 -_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
clorne
Communicator
08-30-2016
08:14 AM
Thanks a lot
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
