Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Sorting stats 'list' results in a certain order?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All, Im working with some vulnerability data and I'm wondering if I can sort the list I have of different vulnerability ratings the way I want it to look. So far I have come up empty on ideas.
At the moment the data is being sorted alphabetically and looks like this:
Critical Severity
High Severity
Informative
Low Severity
Medium Severity
I'd like it to look like this:
Critical Severity
High Severity
Medium Severity
Low Severity
Informative
Possible?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the point that you have something like this:
| stats values(severity) AS severity BY host
Add this after it:
| rex field=severity mode=sed "s/(Critical Severity)/5:\1/ s/(High Severity)/4:\1/ s/(Medium Severity)/3:\1/ s/(Low Severity)/2:\1/ s/(Informative)/1:\1/"
Then do it again to cause it to be resorted:
| stats values(severity) AS severity BY host
You could do this before you do the stats but then you are changing millions of events instead of a few.
P.S. Yes, this is backwards from your perfect desire but should be close enough. If you REALLY need it the other way, then you can do this instead:
| rex field=severity mode=sed "s/(Critical Severity)/ \1/ s/(High Severity)/ \1/ s/(Medium Severity)/ \1/ s/(Low Severity)/ \1/"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the point that you have something like this:
| stats values(severity) AS severity BY host
Add this after it:
| rex field=severity mode=sed "s/(Critical Severity)/5:\1/ s/(High Severity)/4:\1/ s/(Medium Severity)/3:\1/ s/(Low Severity)/2:\1/ s/(Informative)/1:\1/"
Then do it again to cause it to be resorted:
| stats values(severity) AS severity BY host
You could do this before you do the stats but then you are changing millions of events instead of a few.
P.S. Yes, this is backwards from your perfect desire but should be close enough. If you REALLY need it the other way, then you can do this instead:
| rex field=severity mode=sed "s/(Critical Severity)/ \1/ s/(High Severity)/ \1/ s/(Medium Severity)/ \1/ s/(Low Severity)/ \1/"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wonderful!
This worked a treat:
| eval sevdesc='severity.description'
| stats count by "Custom Tag", sevdesc
| rex field=sevdesc mode=sed "s/(Critical Severity)/ \1/ s/(High Severity)/ \1/ s/(Medium Severity)/ \1/ s/(Low Severity)/ \1/"
| stats list(count), values(sevdesc) by "Custom Tag"
| sort values(sevdesc), -list(count)
| rename "Custom Tag" AS Application list(count) AS Count values(sevdesc) AS Severity
Thanks!
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Splunk App Dev Community Updates – What’s New and What’s Next
The Latest Cisco Integrations With Splunk Platform!
