Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sort on second field of mvzipped field

splunkdivya
Explorer
‎03-15-2018 02:19 AM

Hi,

I have a multivalue field with the name of user and the monthly expenses and another column of time. e.g:
column1 | column2

John-100 | Jan 2018
George-144 | Jan 2017

Jenny-400 |
Rose-391|Feb 2018
Jasmine-25|April 2017
Alice-23|

I need to first sort on time and then the expenditure. The Name and expenditure column is multivalue value field created by mvzip. The desired output looks like:

Rose-391 | Feb2018
John-100 | Jan 2018
Jasmine-25|April 2017
Alice-23|
Jenny-400 | Jan 2017

George-144 |

P.S. Jenny and George are values for Jan 2017, likewise Jasmine and Alice for April 2017.

Let me know for pointers. mvsort didnt work for me... May be I am missing on something.

Best,

0 Karma
Reply

logloganathan
Motivator
‎03-15-2018 04:14 AM

Hi Divya,

this is command i can provide for you..from there you can develop

| makeresults | eval name="rose,jose,jenny,george"|eval expenditure="100,23,24,111"|eval name=split(name,",")|eval expenditure=split(expenditure,",") |eval total=mvzip(name,expenditure,"----") | eval sorted=mvsort(total) | table sorted

result:
george----111
jenny----24
jose----23
rose----100

0 Karma
Reply

p_gurav
Champion
‎03-15-2018 02:44 AM

Can you give query your are using?

0 Karma
Reply

splunkdivya
Explorer
‎03-15-2018 03:10 AM

Thanks for your response,

PFB a dummy query:

| makeresults | eval name="rose,jose,jenny,george"|eval expenditure="100,23,24,111"|eval name=split(name,",")|eval expenditure=split(expenditure,",")|eval total=mvzip(name,expenditure,"----")

Output should be:
Jose-23
Jenny-24
rose-100
goerge-111

Please let me know if this clears the confusion.

Best,

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...