Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sort Column Value in Table from Rex Field

bruceaperez
New Member
‎03-24-2021 10:05 AM

Hi,

I'm trying to sort a value on a table from a rex field in Splunk Search.  For instance, I have below value:

DateHostCount
Wed_Mar_03/12/2021_12:30:01_EDTmn4.cioprd.lc4295
Wed_Mar_03/12/2021_12:40:01_EDTmn3.ciodev.lc2182
Wed_Mar_03/12/2021_12:30:01_EDThive3.CIOPRD.LC1273
Wed_Mar_03/12/2021_12:30:01_EDThive2.cioprd.lc1202
Wed_Mar_03/12/2021_12:40:01_EDTmn4.ciodev.lc1118

 

I would like to sort this by Host starting with ".cioprd.local".  The table should look like this.

DateHostCount
Wed_Mar_03/12/2021_12:30:01_EDTmn4.cioprd.lc4295
Wed_Mar_03/12/2021_12:30:01_EDThive2.cioprd.lc1202
Wed_Mar_03/12/2021_12:30:01_EDThive3.CIOPRD.LC1273
Wed_Mar_03/12/2021_12:40:01_EDTmn3.ciodev.lc2182
Wed_Mar_03/12/2021_12:40:01_EDTmn4.ciodev.lc1118

 

I tried the using the eval from this doc, but no luck.  Can you please help me on this?  Thanks.

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 12:01 PM

Hi @bruceaperez,

Thank you. Please try below;

| rex field=Host "\.(?<host_domain>[^\s]+)"
| sort - host_domain count
| fields - host_domain
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

bruceaperez
New Member
‎03-24-2021 03:41 PM

Hi @scelikok  - it seems it didn't work.  Here's my search command.

 

.... | rex field=_raw "(?<Date>[^\|]+)\|(?<Host>[^\|]+)\| (?i)Count=(?<count>[^\|]+)"
| fields + Date, Host, count
| search "mn4.ciodev.lc" OR "mn3.ciodev.lc" OR "hive3.CIOPRD.LC" OR "hive2.cioprd.lc" OR "mn4.cioprd.lc"
| eval Date = strptime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z") | sort 0 - Date | eval Date = strftime(Date,"%a_%b_%m/%d/%Y_%H:%M:%S_%Z")
| table Date, Host, count
| dedup Host

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 10:48 AM

Hi @bruceaperez,

Your sort by criteria is not certain and I couldn't guess it by looking at your output sample. Do you want to extract one part of host? If yes which part? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

bruceaperez
New Member
‎03-24-2021 11:04 AM

Hi @scelikok - i want to sort it by host and I want to arrange it by environment. Basically, I want to arrange it first with strings containing "cioprd.lc" then "ciodev.lc".  After I have arranged the host on this manner, then I will have to sort the Count in descending order.

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 09:28 PM

Hi @bruceaperez,

I think the problem was uppercase environment. Below changing environment to lowercase should work for you.

| rex field=Host "\.(?<host_domain>[^\s]+)" 
| eval host_domain=lower(host_domain) 
| sort - host_domain count
| fields - host_domain
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...