Splunk Search

sort table values by table values

sarit_s
Communicator

Hello

I have a table with 3 columns

1 is strings

and 2 columns with numbers

is there a way to sort the table from the highest number to lowest from all the values in the table ?

for example:

sarit_s_0-1630568310308.png

this is part of my table and i want to sort the numbers in "priority" and "silverpop" regardless if its one of them, just to see the raw with the highest value first

Labels (2)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

If I understand you correctly, you have more than one collumn and you want to sort by higher of values of those columns, right? So if you have, for example

a11
b122
c46
d68
e725
f374
g511
h23

You would like to have, as an output

f374
e725
b122
g511
d68
c46
h23
a11

If so, then it's probably easiest to add a syntetic column which will be used for sorting and remove it after sorting

< your search > | eval sortcol=max(col1,col2) | sort sortcol | fields - sortcol

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If I understand you correctly, you have more than one collumn and you want to sort by higher of values of those columns, right? So if you have, for example

a11
b122
c46
d68
e725
f374
g511
h23

You would like to have, as an output

f374
e725
b122
g511
d68
c46
h23
a11

If so, then it's probably easiest to add a syntetic column which will be used for sorting and remove it after sorting

< your search > | eval sortcol=max(col1,col2) | sort sortcol | fields - sortcol
0 Karma

sarit_s
Communicator

Hey,

thanks

but it is sorting only the first column

 

this is my query:

sourcetype="kube:container:notificationsservice-workerservice" Message="Filtered channel context" ("ContextData.ChannelName"=SalesforceEmail OR "ContextData.ChannelName"=SalesforcePriorityEmail)
| stats count AS Priority BY "AdditionalData.Meta.NotificationType"
| rename "AdditionalData.Meta.NotificationType" As Column
| append [ search 
     sourcetype="Silverpop-Transactional-*" Message="Message was successfully sent to *"
     | stats count AS Silverpop BY "AdditionalData.additionalData.AdditionalParameters.MailingID"
     | rename "AdditionalData.additionalData.AdditionalParameters.MailingID" AS Column
     ] | eval sortcol=max(Priority,SilverPop) | sort - sortcol | fields - sortcol

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, |sort sorts all rows by the specified columns so I don't understand what do you mean by "sorts only first column".

0 Karma

sarit_s
Communicator

the result of this query sorts only the Priority column, it is ignoring the Silverpop one

0 Karma

sarit_s
Communicator

sorry, its my bad, i had a typo

 

thanks, its working

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. It seems you have empty results in those columns. That way max(a,b) doesn't make sense if both values are not numbers. So it will not calculate an output value.

You might want to fillnull with a low value before doing the eval=max[...].

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...