Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to order a result by the sequence of the terms I've searched?

rafasalo
Engager
‎09-07-2016 01:52 PM

Hello,

I have the following query:

Index=A
BALL
SQUARE
TRIANGLE | stats count by Keyword

The result I get is something like:

TRIANGLE 100
BALL 50
SQUARE 8

I would like to have the result in the same order I've searched. So, I'm expecting this:
BALL 50
SQUARE 8
TRIANGLE 100

Help me, if anybody have any idea.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-07-2016 02:15 PM

Try like this. You'd need to update the keyword string in both subsearch.

index=indexA [| gentimes start=-1 | eval search="BALL SQUARE TRIANGLE" | table search| makemv search | mvexpand search] | stats count by Keyword | append [| gentimes start=-1 | eval Keyword="BALL SQUARE TRIANGLE" | table  Keyword | makemv Keyword | mvexpand Keyword | eval temp=1 count=0 ] | eventstats max(count) as count by Keyword | where temp=1 | table Keyword count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-07-2016 02:15 PM

Try like this. You'd need to update the keyword string in both subsearch.

index=indexA [| gentimes start=-1 | eval search="BALL SQUARE TRIANGLE" | table search| makemv search | mvexpand search] | stats count by Keyword | append [| gentimes start=-1 | eval Keyword="BALL SQUARE TRIANGLE" | table  Keyword | makemv Keyword | mvexpand Keyword | eval temp=1 count=0 ] | eventstats max(count) as count by Keyword | where temp=1 | table Keyword count
0 Karma
Reply
Solved! Jump to solution

rafasalo
Engager
‎09-07-2016 02:26 PM

I think I was not clear.
This is my query:

index=index_cbo_pt [search index=index_cbo ("Scope State: 65280" 3.1.4.0) OR ("Scope State: 65280" 3.1.4.1)| stats count by CNPJ | sort - count | table CNPJ]| stats count by CNPJ

This is what I've got: 

CNPJ                              COUNT
910191019                         450
272817181                         300
818191819                         250

However what I want is a result ordered by the order of my subsearch.

My subsearch results on this:

CNPJ                              
272817181 
910191019                  
818191819

So, what I need is this:

CNPJ                              COUNT
272817181                         300
910191019                         450
818191819                         250
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-07-2016 02:40 PM

Give this a try

index=index_cbo_pt [search index=index_cbo ("Scope State: 65280" 3.1.4.0) OR ("Scope State: 65280" 3.1.4.1)| stats count by CNPJ | sort - count | table CNPJ]| stats count by CNPJ | append [search index=index_cbo ("Scope State: 65280" 3.1.4.0) OR ("Scope State: 65280" 3.1.4.1)| stats count by CNPJ | sort - count | table CNPJ | eval temp=1 | eval count=0 ] | eventstats max(count) as count by CNPJ | where temp=1 | table CNPJ count
0 Karma
Reply
Solved! Jump to solution

rafasalo
Engager
‎09-07-2016 02:42 PM

Great!! Thank you very much!
cheers,

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-07-2016 02:03 PM

How are you getting 3 rows after just executing | stats count?

0 Karma
Reply
Solved! Jump to solution

rafasalo
Engager
‎09-07-2016 02:34 PM

Bellow I explained better. thanks!

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎09-07-2016 02:00 PM

syntax for the sort is sort <count> <sort by class>

something like this index=blah | stats count by field1 | sort 0 field1 Here field1 has the values of your ball, square etc. If you need to sort by ascending you need to use | sort 0 field1 for decending | sort 0 -field1.

Note: If no number is specified for count, the default limit of 10000 is used. If the number 0 is specified, all results are returned

Hope this will help you.

V
0 Karma
Reply
Solved! Jump to solution

rafasalo
Engager
‎09-07-2016 02:26 PM

I think I was not clear.
This is my query:

index=index_cbo_pt [search index=index_cbo ("Scope State: 65280" 3.1.4.0) OR ("Scope State: 65280" 3.1.4.1)| stats count by CNPJ | sort - count | table CNPJ]| stats count by CNPJ

This is what I've got: 

CNPJ                              COUNT
910191019                         450
272817181                         300
818191819                         250

However what I want is a result ordered by the order of my subsearch.

My subsearch results on this:

CNPJ                              
272817181 
910191019                  
818191819

So, what I need is this:

CNPJ                              COUNT
272817181                         300
910191019                         450
818191819                         250
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-07-2016 02:00 PM

You search query as you have here, will return only one value. Count of events. I think you are missing a by clause. | stats count by keyword? Assuming it is keyword, you can use the sort command to sort your results

0 Karma
Reply
Solved! Jump to solution

rafasalo
Engager
‎09-07-2016 02:05 PM

The problem is that my keyword is something like a Social Number, so, if I sort, splunk orders considering it a number.

0 Karma
Reply
Solved! Jump to solution

rafasalo
Engager
‎09-07-2016 02:03 PM

You are right. I've edited my query above.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...