Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sorting stats 'list' results in a certain order?

mrgibbon
Contributor
‎08-09-2017 03:43 PM

Hi All, Im working with some vulnerability data and I'm wondering if I can sort the list I have of different vulnerability ratings the way I want it to look. So far I have come up empty on ideas.
At the moment the data is being sorted alphabetically and looks like this:

Critical Severity   
High Severity
Informative 
Low Severity
Medium Severity

I'd like it to look like this:

Critical Severity   
High Severity
Medium Severity
Low Severity
Informative

Possible?
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-09-2017 04:34 PM

At the point that you have something like this:

| stats values(severity) AS severity BY host

Add this after it:

| rex field=severity mode=sed "s/(Critical Severity)/5:\1/ s/(High Severity)/4:\1/ s/(Medium Severity)/3:\1/ s/(Low Severity)/2:\1/ s/(Informative)/1:\1/"

Then do it again to cause it to be resorted:

| stats values(severity) AS severity BY host

You could do this before you do the stats but then you are changing millions of events instead of a few.
P.S. Yes, this is backwards from your perfect desire but should be close enough. If you REALLY need it the other way, then you can do this instead:

| rex field=severity mode=sed "s/(Critical Severity)/    \1/ s/(High Severity)/   \1/ s/(Medium Severity)/  \1/ s/(Low Severity)/ \1/"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-09-2017 04:34 PM

At the point that you have something like this:

| stats values(severity) AS severity BY host

Add this after it:

| rex field=severity mode=sed "s/(Critical Severity)/5:\1/ s/(High Severity)/4:\1/ s/(Medium Severity)/3:\1/ s/(Low Severity)/2:\1/ s/(Informative)/1:\1/"

Then do it again to cause it to be resorted:

| stats values(severity) AS severity BY host

You could do this before you do the stats but then you are changing millions of events instead of a few.
P.S. Yes, this is backwards from your perfect desire but should be close enough. If you REALLY need it the other way, then you can do this instead:

| rex field=severity mode=sed "s/(Critical Severity)/    \1/ s/(High Severity)/   \1/ s/(Medium Severity)/  \1/ s/(Low Severity)/ \1/"
0 Karma
Reply
Solved! Jump to solution

mrgibbon
Contributor
‎08-09-2017 09:12 PM

Wonderful!
This worked a treat:

| eval sevdesc='severity.description'
| stats count by "Custom Tag", sevdesc 
| rex field=sevdesc mode=sed "s/(Critical Severity)/    \1/ s/(High Severity)/   \1/ s/(Medium Severity)/  \1/ s/(Low Severity)/ \1/"
| stats list(count), values(sevdesc) by "Custom Tag" 
| sort values(sevdesc), -list(count) 
| rename "Custom Tag" AS Application list(count) AS Count values(sevdesc) AS Severity

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...