Splunk Search

custom sort field values

corehan
Explorer

Hello dears,

How can i sort these field values ?

Field = "port"

0/1/0/2/
0/8/0/7/
0/2/0/3/
0/5/0/2/
0/6/0/3/
0/16/0/2
0/18/0/6
0/16/0/5
0/4/0/2/
0/6/0/2/
0/18/0/2
0/12/0/4
0/3/0/7/
 
Regards.
Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

OK. It seems I probably overcomplicated things.

You're probably good to go with

<base search> |rex field=ONT "^(?P<ONT>........)" | sort ONT | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT 
| where Toplam_Sikayet >= 10 

You might want to replace the sorting part with my other solution if it's not sorting numericaly.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try (using mvsort as the field values are multivalued. Also, moving 'where' filter just after stats, filter should be done as early as possible)

<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT 
| where Toplam_Sikayet >= 10 | eval OLT_Port=mvsort(OLT_Port)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You're aware that after sorting the order of the port field does not correspond to the order of other mv-fields?

0 Karma

corehan
Explorer

Hmm, you are right. Thank you for attention. Just only OLT_Port field values sorting without other mvalues fields. This is problem.

Regards.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you want the other fields to be sorted according to field OLT_Port, try this version:

 

<base search> |rex field=ONT "^(?P<ONT>........)" 
| stats count by Date OLT Saat ONT H REQUESTNAME
| sort Date OLT ONT
| stats sum(count) as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT 
| where Toplam_Sikayet >= 10

 

0 Karma

corehan
Explorer

Hello  , It is working which i want but latest solution is more effortless and same result. just only adding | sort ONT.

So i will accept this.

Thank you very much, you are very kind.

 

Regards.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As I wrote before - mvsort sorts only values in a single multivalued field. Other fields have no way of "knowing" how to reorder.

So you need to sort the data when it's still in separate events and only afterwards aggregate them if needed (do you need those multivalued fields at all? As you can see they have ,any drawbacks)

Anyway, you needed something more like

<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet by Saat ONT H REQUESTNAME Date OLT 
| where Toplam_Sikayet >= 10 | sort ONT | stats sum(Toplam_Sikayet) list(Saat) list(ONT) list(H) list(REQUESTNAME) by Date OLT
0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. It seems I probably overcomplicated things.

You're probably good to go with

<base search> |rex field=ONT "^(?P<ONT>........)" | sort ONT | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT 
| where Toplam_Sikayet >= 10 

You might want to replace the sorting part with my other solution if it's not sorting numericaly.

0 Karma

corehan
Explorer

King regards , thank you again.

0 Karma

corehan
Explorer

King Regards, it's ok now.

Also thank you for all other replays.

 

I love this community. 🙂

0 Karma

corehan
Explorer

Sorry, i couldn't. Here is the real search query and result. I want the group or sort OLT_Port values;

<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT |sort -OLT_Port
| where Toplam_Sikayet >= 10

corehan_0-1633014458293.png

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ahhh. Again (someone lately had similar problem - wasn't that you?) you're creating one multivalued field. You won't sort your data that way. Even if you managed to sort the data within this one column, there's no way to tell the other multivalued fields to reorder. So that's definitely not something you want.

Do not aggregate the fields.

Just do your stats, sort the data, then aggregate and stats again.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The sort command will sort them for you.

| sort port

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

corehan
Explorer

this view also sort port but it is not sorting .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please use more words.  What exactly are you trying to do?  How exactly are you trying to do it?  What are the results?  What results did you expect?  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma

corehan
Explorer

these are port numbers and i want sort port with same numbers,

like this,

0/1/0/0

0/1/0/0

0/2/1/1

0/2/2/1

0/2/2/1

Regards.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I suppose your problem is that "normal" sort sorts the values as strings (lexicographically) and you want to have them sorted with numerical values of each "field".

Assuming you have your data in a field called "a"

<your_search> | rex field=a "(?<d1>\d+)/(?<d2>\d+)/(?<d3>\d+)/(?<d4>\d+)" 
| sort d1 d2 d3 d4
| eval a=d1."/".d2."/".d3."/".d4
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...