Hi Splunkers,
I need help on how to sort this multi-value fields based on the latest timestamp and status.
Here's my dummy query for this. | makeresults | eval hostname = "server101" | eval ...
See more...
Hi Splunkers,
I need help on how to sort this multi-value fields based on the latest timestamp and status.
Here's my dummy query for this. | makeresults | eval hostname = "server101" | eval id = "123|124" | eval database_timestamp = "Mar 03, 2022 12:59:46 PM|Feb 23, 2022 1:19:24 PM" | eval database_status = "Online|Offline (30 days ago)" | eval server_timestamp = "Feb 22, 2022 1:19:24 PM|Mar 01, 2022 12:59:46 PM" | eval server_status = "Offline (31 days ago)|Online" | fields hostname id database_timestamp database_status server_timestamp server_status | makemv delim="|" database_timestamp | makemv delim="|" database_status | makemv delim="|" server_timestamp | makemv delim="|" server_status | makemv delim="|" id
Below is the sample output and expected output.
Current Output:
hostname
database_timestamp
database_status
server_timestamp
server_timestamp
server101
Mar 03, 2022 12:59:46 PM Feb 23, 2022 1:19:24 PM
Online Offline (30 days ago)
Feb 22, 2022 1:19:24 PM Mar 01, 2022 12:59:46 PM
Offline (31 days ago) Online
Expected Output:
hostname
database_timestamp
database_status
server_timestamp
server_status
server101
Mar 03, 2022 12:59:46 PM Feb 23, 2022 1:19:24 PM
Online Offline (30 days ago)
Mar 01, 2022 12:59:46 PM Feb 22, 2022 1:19:24 PM
Online Offline (31 days ago)