Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sort fieldnames

skodak
Explorer
‎07-11-2020 05:28 PM

AccountName FAILURE SUCCESS IMPACT LOSS% Total

Account120001490.111.3310804
Account220812620.109.552043
Account3163015540.019.491017

 

Output was from inner join

I want the output like - alignment of field names. Sorting the order of field names.

Before - 

AccountName    FAILURE SUCCESS  IMPACT LOSS% Total 

 

After sorting  should be -

 

AccountName    FAILURE SUCCESS Total   IMPACT LOSS%

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2020 10:13 AM
The table command is the one to use to re-order fields for display.
Please share your query so we can see what may be throwing things off.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-11-2020 05:58 PM

Use the table command to specify the order in which fields should be displayed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

skodak
Explorer
‎07-11-2020 07:49 PM

@richgalloway I have used table in second query and chart in first. I am not getting the desired result.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2020 10:13 AM
The table command is the one to use to re-order fields for display.
Please share your query so we can see what may be throwing things off.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-12-2020 02:18 AM 
index=_internal 
| head 3 
| fields _raw _time 
| streamstats count 
| eval _raw=case(count=1,"AccountName=Account1,FAILURE=2000,SUCCESS=149,IMPACT=0.1,LOSS%=11.33,Total=10804",count=2,"AccountName=Account2,FAILURE=2081,SUCCESS=262,IMPACT=0.10,LOSS%=9.55,Total=2043"
    ,count=3,"AccountName=Account3,FAILURE=1630,SUCCESS=1554,IMPACT=0.01,LOSS%=9.49,Total=1017") 
| fields - count 
| kv 
| rename LOSS as "LOSS%" 
| table AccountName FAILURE SUCCESS Total IMPACT LOSS%

I'm not sure when it can't table.

 

0 Karma
Reply
Solved! Jump to solution

skodak
Explorer
‎07-12-2020 06:31 AM

@to4kawa  I have mutliple Account_NM which will be generated in realtime. The ACCOUNT_NM which I provided was sample data.

Thank you for the info though 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...