Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sort Column Value in Table from Rex Field

bruceaperez
New Member
‎03-24-2021 10:05 AM

Hi,

I'm trying to sort a value on a table from a rex field in Splunk Search.  For instance, I have below value:

DateHostCount
Wed_Mar_03/12/2021_12:30:01_EDTmn4.cioprd.lc4295
Wed_Mar_03/12/2021_12:40:01_EDTmn3.ciodev.lc2182
Wed_Mar_03/12/2021_12:30:01_EDThive3.CIOPRD.LC1273
Wed_Mar_03/12/2021_12:30:01_EDThive2.cioprd.lc1202
Wed_Mar_03/12/2021_12:40:01_EDTmn4.ciodev.lc1118

 

I would like to sort this by Host starting with ".cioprd.local".  The table should look like this.

DateHostCount
Wed_Mar_03/12/2021_12:30:01_EDTmn4.cioprd.lc4295
Wed_Mar_03/12/2021_12:30:01_EDThive2.cioprd.lc1202
Wed_Mar_03/12/2021_12:30:01_EDThive3.CIOPRD.LC1273
Wed_Mar_03/12/2021_12:40:01_EDTmn3.ciodev.lc2182
Wed_Mar_03/12/2021_12:40:01_EDTmn4.ciodev.lc1118

 

I tried the using the eval from this doc, but no luck.  Can you please help me on this?  Thanks.

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 12:01 PM

Hi @bruceaperez,

Thank you. Please try below;

| rex field=Host "\.(?<host_domain>[^\s]+)"
| sort - host_domain count
| fields - host_domain
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

bruceaperez
New Member
‎03-24-2021 03:41 PM

Hi @scelikok  - it seems it didn't work.  Here's my search command.

 

.... | rex field=_raw "(?<Date>[^\|]+)\|(?<Host>[^\|]+)\| (?i)Count=(?<count>[^\|]+)"
| fields + Date, Host, count
| search "mn4.ciodev.lc" OR "mn3.ciodev.lc" OR "hive3.CIOPRD.LC" OR "hive2.cioprd.lc" OR "mn4.cioprd.lc"
| eval Date = strptime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z") | sort 0 - Date | eval Date = strftime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z")
| table Date, Host, count
| dedup Host

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 10:48 AM

Hi @bruceaperez,

Your sort by criteria is not certain and I couldn't guess it by looking at your output sample. Do you want to extract one part of host? If yes which part? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

bruceaperez
New Member
‎03-24-2021 11:04 AM

Hi @scelikok - i want to sort it by host and I want to arrange it by environment. Basically, I want to arrange it first with strings containing "cioprd.lc" then "ciodev.lc".  After I have arranged the host on this manner, then I will have to sort the Count in descending order.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 09:28 PM

Hi @bruceaperez,

I think the problem was uppercase environment. Below changing environment to lowercase should work for you.

| rex field=Host "\.(?<host_domain>[^\s]+)" 
| eval host_domain=lower(host_domain) 
| sort - host_domain count
| fields - host_domain
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...