Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Sort fieldnames

skodak
Explorer
‎07-11-2020 05:28 PM

AccountName FAILURE SUCCESS IMPACT LOSS% Total

Account120001490.111.3310804
Account220812620.109.552043
Account3163015540.019.491017

 

Output was from inner join

I want the output like - alignment of field names. Sorting the order of field names.

Before - 

AccountName    FAILURE SUCCESS  IMPACT LOSS% Total 

 

After sorting  should be -

 

AccountName    FAILURE SUCCESS Total   IMPACT LOSS%

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2020 10:13 AM
The table command is the one to use to re-order fields for display.
Please share your query so we can see what may be throwing things off.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-11-2020 05:58 PM

Use the table command to specify the order in which fields should be displayed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

skodak
Explorer
‎07-11-2020 07:49 PM

@richgalloway I have used table in second query and chart in first. I am not getting the desired result.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2020 10:13 AM
The table command is the one to use to re-order fields for display.
Please share your query so we can see what may be throwing things off.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-12-2020 02:18 AM 
index=_internal 
| head 3 
| fields _raw _time 
| streamstats count 
| eval _raw=case(count=1,"AccountName=Account1,FAILURE=2000,SUCCESS=149,IMPACT=0.1,LOSS%=11.33,Total=10804",count=2,"AccountName=Account2,FAILURE=2081,SUCCESS=262,IMPACT=0.10,LOSS%=9.55,Total=2043"
    ,count=3,"AccountName=Account3,FAILURE=1630,SUCCESS=1554,IMPACT=0.01,LOSS%=9.49,Total=1017") 
| fields - count 
| kv 
| rename LOSS as "LOSS%" 
| table AccountName FAILURE SUCCESS Total IMPACT LOSS%

I'm not sure when it can't table.

 

0 Karma
Reply
Solved! Jump to solution

skodak
Explorer
‎07-12-2020 06:31 AM

@to4kawa  I have mutliple Account_NM which will be generated in realtime. The ACCOUNT_NM which I provided was sample data.

Thank you for the info though 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...