Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sort based on first count generated by xyseries dynamically

k_harini
Communicator
‎10-22-2017 02:57 AM

I want to sort based on the 2nd column generated dynamically post using xyseries command
index="aof_mywizard_deploy_idx" sourcetype="aof_tm_source" | rename "Timelines_FY17 FY18_Q1" as "Completetion_date" |eval c_status=upper('Current Week Status') |search c_status!="TBC"| stats count(c_status) as count by Completetion_date c_status |eventstats sum(count) as Total by Completetion_date| eval ragcount% = (round((count/Total)100))."%"| xyseries c_status Completetion_date count ragcount%|rename "count: *" as ":Count" "ragcount%: " as ":Percent%" |table c_status *|rename c_status as "RAG STATUS"

Columns generated are Rag status, FY17:Count FY17:percent% Fy18-Q1:count.. etc. I want to sort with the first count (in this case FY17:Count) . How can i do that? can some one please help? if i give sort - "FY17:Count" it works.. but since its dynamically generated , is there a way to handle this?

0 Karma
Reply

Sukisen1981
Champion
‎10-22-2017 04:08 AM

Hi - You can use the value of another field as the name of the destination field by using curly brackets, { }. For example, if you have an event with the following fields, aName=counter and aValue=1234. Use | eval {aName}=aValue to return counter=1234.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Eval

Add a dynamic eval |eval {xxxx}=value, then | sort -eval {xxxx}

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...