Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: When showing data through table, can't sort in...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When showing data through table, can't sort in descending order because null > any numerical value
kkas
Path Finder
06-25-2015
05:48 AM
So I am displaying a ton of events with a very long table with tons of fields (input pkt, output pkt, input octet, output octet, duration...etc) to allow a user to quickly sort by whichever field they choose fit. The problem is when I try to sort through descending order, the null field is considered greater than any of the numerical values, so I have 10+ pages of straight null fields, but I don't want to exclude events with null values and I don't want to represent null fields with zero because that means two different things.
Is there a way to go about fixing the sorting issue caused by null?
My abbreviated search looks as follows
sourcetype=Alpha|table Username, IP_Address, Input_Octets|sort -Input_Octets
which outputs something like
Username | IP Address | Input_Octets
derp | 10.203.... | null
\\\20 pages of null value in input_octet
derp | 10.203.... | 1321234
derp | 10.203.... | 123441
derp | 10.203.... | 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fdi01
Motivator
06-27-2015
10:41 PM
try like
sourcetype=Alpha|eval Input_Octets=if(Input_Octets!="null",Input_Octets,-1)|table Username, IP_Address, Input_Octets|sort -Input_Octets
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ngatchasandra
Builder
06-25-2015
06:18 AM
Hi kkas,
Try with
sourcetype=Alpha|table Username, IP_Address, Input_Octets|sort -num(Input_Octets)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ngatchasandra
Builder
06-25-2015
06:45 AM
Try again with auto attribute. This will determine automatically how to sort the Input_Octets's values.
sourcetype=Alpha|table Username, IP_Address, Input_Octets|sort -auto(Input_Octets)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kkas
Path Finder
06-25-2015
06:27 AM
Cool, this worked for the most part. The one issue I have with this solution is when you try to click the different field tabs at the top to re-sort in different order, it goes back to being null>#. This conflicts with what I'm trying to do to allow the user to sort by clicking the field tabs for quick data analysis of different fields. I may just replace null with -1 and note the change in panel title.
Thanks for your input!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ngatchasandra
Builder
06-25-2015
06:40 AM
Do you want other solution?
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
