Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sorting stats 'list' results in a certain order?

mrgibbon
Contributor
‎08-09-2017 03:43 PM

Hi All, Im working with some vulnerability data and I'm wondering if I can sort the list I have of different vulnerability ratings the way I want it to look. So far I have come up empty on ideas.
At the moment the data is being sorted alphabetically and looks like this:

Critical Severity   
High Severity
Informative 
Low Severity
Medium Severity

I'd like it to look like this:

Critical Severity   
High Severity
Medium Severity
Low Severity
Informative

Possible?
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-09-2017 04:34 PM

At the point that you have something like this:

| stats values(severity) AS severity BY host

Add this after it:

| rex field=severity mode=sed "s/(Critical Severity)/5:\1/ s/(High Severity)/4:\1/ s/(Medium Severity)/3:\1/ s/(Low Severity)/2:\1/ s/(Informative)/1:\1/"

Then do it again to cause it to be resorted:

| stats values(severity) AS severity BY host

You could do this before you do the stats but then you are changing millions of events instead of a few.
P.S. Yes, this is backwards from your perfect desire but should be close enough. If you REALLY need it the other way, then you can do this instead:

| rex field=severity mode=sed "s/(Critical Severity)/    \1/ s/(High Severity)/   \1/ s/(Medium Severity)/  \1/ s/(Low Severity)/ \1/"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-09-2017 04:34 PM

At the point that you have something like this:

| stats values(severity) AS severity BY host

Add this after it:

| rex field=severity mode=sed "s/(Critical Severity)/5:\1/ s/(High Severity)/4:\1/ s/(Medium Severity)/3:\1/ s/(Low Severity)/2:\1/ s/(Informative)/1:\1/"

Then do it again to cause it to be resorted:

| stats values(severity) AS severity BY host

You could do this before you do the stats but then you are changing millions of events instead of a few.
P.S. Yes, this is backwards from your perfect desire but should be close enough. If you REALLY need it the other way, then you can do this instead:

| rex field=severity mode=sed "s/(Critical Severity)/    \1/ s/(High Severity)/   \1/ s/(Medium Severity)/  \1/ s/(Low Severity)/ \1/"
0 Karma
Reply
Solved! Jump to solution

mrgibbon
Contributor
‎08-09-2017 09:12 PM

Wonderful!
This worked a treat:

| eval sevdesc='severity.description'
| stats count by "Custom Tag", sevdesc 
| rex field=sevdesc mode=sed "s/(Critical Severity)/    \1/ s/(High Severity)/   \1/ s/(Medium Severity)/  \1/ s/(Low Severity)/ \1/"
| stats list(count), values(sevdesc) by "Custom Tag" 
| sort values(sevdesc), -list(count) 
| rename "Custom Tag" AS Application list(count) AS Count values(sevdesc) AS Severity

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...