Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sort Column Value in Table from Rex Field

bruceaperez
New Member
‎03-24-2021 10:05 AM

Hi,

I'm trying to sort a value on a table from a rex field in Splunk Search.  For instance, I have below value:

DateHostCount
Wed_Mar_03/12/2021_12:30:01_EDTmn4.cioprd.lc4295
Wed_Mar_03/12/2021_12:40:01_EDTmn3.ciodev.lc2182
Wed_Mar_03/12/2021_12:30:01_EDThive3.CIOPRD.LC1273
Wed_Mar_03/12/2021_12:30:01_EDThive2.cioprd.lc1202
Wed_Mar_03/12/2021_12:40:01_EDTmn4.ciodev.lc1118

 

I would like to sort this by Host starting with ".cioprd.local".  The table should look like this.

DateHostCount
Wed_Mar_03/12/2021_12:30:01_EDTmn4.cioprd.lc4295
Wed_Mar_03/12/2021_12:30:01_EDThive2.cioprd.lc1202
Wed_Mar_03/12/2021_12:30:01_EDThive3.CIOPRD.LC1273
Wed_Mar_03/12/2021_12:40:01_EDTmn3.ciodev.lc2182
Wed_Mar_03/12/2021_12:40:01_EDTmn4.ciodev.lc1118

 

I tried the using the eval from this doc, but no luck.  Can you please help me on this?  Thanks.

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 12:01 PM

Hi @bruceaperez,

Thank you. Please try below;

| rex field=Host "\.(?<host_domain>[^\s]+)"
| sort - host_domain count
| fields - host_domain
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

bruceaperez
New Member
‎03-24-2021 03:41 PM

Hi @scelikok  - it seems it didn't work.  Here's my search command.

 

.... | rex field=_raw "(?<Date>[^\|]+)\|(?<Host>[^\|]+)\| (?i)Count=(?<count>[^\|]+)"
| fields + Date, Host, count
| search "mn4.ciodev.lc" OR "mn3.ciodev.lc" OR "hive3.CIOPRD.LC" OR "hive2.cioprd.lc" OR "mn4.cioprd.lc"
| eval Date = strptime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z") | sort 0 - Date | eval Date = strftime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z")
| table Date, Host, count
| dedup Host

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 10:48 AM

Hi @bruceaperez,

Your sort by criteria is not certain and I couldn't guess it by looking at your output sample. Do you want to extract one part of host? If yes which part? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

bruceaperez
New Member
‎03-24-2021 11:04 AM

Hi @scelikok - i want to sort it by host and I want to arrange it by environment. Basically, I want to arrange it first with strings containing "cioprd.lc" then "ciodev.lc".  After I have arranged the host on this manner, then I will have to sort the Count in descending order.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 09:28 PM

Hi @bruceaperez,

I think the problem was uppercase environment. Below changing environment to lowercase should work for you.

| rex field=Host "\.(?<host_domain>[^\s]+)" 
| eval host_domain=lower(host_domain) 
| sort - host_domain count
| fields - host_domain
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...