Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My dashboard modifies the search command "sor"t and "fields"

clorne
Communicator
‎08-30-2016 06:13 AM

Hello,
I have a search rule that is perfectly working:
.... |
sort - 0 _time |
fields - _* |
fields data1 data 2 data3

I have created a dashboard and integrated the rule.
The result of the rule is wrong and I discovered that the string search had been modified:

"sort - 0 _time" => "sort-0 _time" and this command does not work; it does not sort time in the correct order
"fields - _*" gets " fields-*" which is not doing the same thing; it does not remove the fields beginning by _

I have done many tests and this is reproductible 100%.
Each time the generation of the dashboard xml code corrupt my search string and I can not create a working dashboard.

Any ideas are welcome

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3

View solution in original post

Reply
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎08-30-2016 06:28 AM

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thansk a lot

0 Karma
Reply
Solved! Jump to solution

jpolcari
Communicator
‎08-30-2016 06:18 AM

Check out the sort documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort

Give this a shot instead. This is the correct syntax:

sort 0 -_time
Reply
Solved! Jump to solution

clorne
Communicator
‎08-30-2016 08:14 AM

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...