- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sort columns that with the highest Total to the le...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sort columns that with the highest Total to the left
Hello,
I have the following search:
index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" )
| rex field=savedsearch_id "(.+;.+;(?P<title>.+))"
| timechart useother=f limit=200 span=1h count by title
| addcoltotals labelfield=_time label="Total Sum"
| addtotals
| sort _time desc
| table _time, Total, *
| where Total != 0
| rename Total AS "#Alerts/h"
it should build the table of the triggered alerts with the frequency per hour. Basically it works fine, but I would like to achieve one more thing:
- I would like the columns with the highest "Total sum" to be ordered from left to right. The goal is that I can see the alerts being executed the most straight away on the left side of the table.
How would I achieve this?
Kind Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try padding with leading whitespace like this:
index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" )
| rex field=savedsearch_id "(.+;.+;(?P<title>.+))"
| timechart useother=f limit=200 span=1h count by title
| untable _time search errors
| eventstats sum(errors) AS TOTAL_ERRORS BY search
| sort 0 TOTAL_ERRORS
| streamstats dc(search) AS rank
| eventstats first(rank) AS rank BY search
| rename COMMENT AS "Pad with spaces to ensure that the search with the most errors show up leftmost!"
| eval search = printf("%*s", len(search) + rank, search)
| fields - rank TOTAL_ERRORS
| addcoltotals labelfield=_time label="Total Sum"
| xyseries _time search errors
| addtotals
| sort _time desc
| table _time, Total, *
| where Total != 0
| rename Total AS "#Alerts/h"
Yes, this means we are doing the totalling twice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would i do the same thing with this search?
index="prod_license_summary" | rename indexname as idx | eval GB=MB/1024 | lookup index_list.csv idx OUTPUTNEW idx environment owner
| table _time idx sourcetypename GB environment owner | where owner="ghprod" AND environment="prod"
| timechart limit=0 span=1d sum(GB) by sourcetypename
| fillnull value=0
| addcoltotals labelfield=_time label="Total"
| sort Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" )
| rex field=savedsearch_id "(.+;.+;(?P<title>.+))"
| timechart useother=f limit=200 span=1h count by title
| addcoltotals labelfield=_time
| table _time *
| tail 1
| fields - _*
| transpose 0
| sort - "row 1"
| rename "row 1" as "Total Sum"
| transpose 0 header_field=column column_name=_time
| append
[ search index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" )
| rex field=savedsearch_id "(.+;.+;(?P<title>.+))"
| timechart useother=f limit=200 span=1h count by title
| reverse]
| reverse
| addtotals
| sort _time desc
| table _time, Total, *
| where Total != 0
| rename Total AS "#Alerts/h"
First: make header with appropriate order.
Second: append original query results. At that time, reverse the time order.
Last: reverse and display them
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
