Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sort on second field of mvzipped field

splunkdivya
Explorer
‎03-15-2018 02:19 AM

Hi,

I have a multivalue field with the name of user and the monthly expenses and another column of time. e.g:
column1 | column2

John-100 | Jan 2018
George-144 | Jan 2017

Jenny-400 |
Rose-391|Feb 2018
Jasmine-25|April 2017
Alice-23|

I need to first sort on time and then the expenditure. The Name and expenditure column is multivalue value field created by mvzip. The desired output looks like:

Rose-391 | Feb2018
John-100 | Jan 2018
Jasmine-25|April 2017
Alice-23|
Jenny-400 | Jan 2017

George-144 |

P.S. Jenny and George are values for Jan 2017, likewise Jasmine and Alice for April 2017.

Let me know for pointers. mvsort didnt work for me... May be I am missing on something.

Best,

0 Karma
Reply

logloganathan
Motivator
‎03-15-2018 04:14 AM

Hi Divya,

this is command i can provide for you..from there you can develop

| makeresults | eval name="rose,jose,jenny,george"|eval expenditure="100,23,24,111"|eval name=split(name,",")|eval expenditure=split(expenditure,",") |eval total=mvzip(name,expenditure,"----") | eval sorted=mvsort(total) | table sorted

result:
george----111
jenny----24
jose----23
rose----100

0 Karma
Reply

p_gurav
Champion
‎03-15-2018 02:44 AM

Can you give query your are using?

0 Karma
Reply

splunkdivya
Explorer
‎03-15-2018 03:10 AM

Thanks for your response,

PFB a dummy query:

| makeresults | eval name="rose,jose,jenny,george"|eval expenditure="100,23,24,111"|eval name=split(name,",")|eval expenditure=split(expenditure,",")|eval total=mvzip(name,expenditure,"----")

Output should be:
Jose-23
Jenny-24
rose-100
goerge-111

Please let me know if this clears the confusion.

Best,

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...