Solved: Re: Eval fields are returned in strange order when...

fere · ‎09-04-2012

I have defined thw following search, but it returns the fields in the wrong order:

source="xxxx" | eventTransIncludeOrphans("step1Invite","step1end" ) | stats count as all_req_invite_count, count(eval(_txn_orphan=1)) as req_invite_orphan_count | eval dropPct = req_invite_orphan_count/ all_req_invite_count * 100 | join nextStep [search source="xxxx" |eventTransIncludeOrphans("step2Invite","step2end" ) | stats count as all_req_invite_count2, count(eval(_txn_orphan=1)) as req_invite_orphan_count2 | eval dropPct2 = req_invite_orphan_count2/ all_req_invite_count2 * 100 ]

the fields show up in the following order - dropPct adn dropPct2 are in wrong places:

all_req_invite_count    req_invite_orphan_count all_req_invite_count2   dropPct dropPct2    req_invite_orphan_count2

If I don't include the 2 pct fields, the 4 fields returned show up in the order that were defined.
How can I make them all show up in the order that were defined in the search string?
Thanks

cphair · ‎09-04-2012

You can reorder the fields by piping your whole search to the fields command, specifying the order you want them to take.



... | fields all_req_invite_count, req_invite_orphan_count, dropPct, all_req_invite_count2,    req_invite_orphan_count2, dropPct2

</code.

View solution in original post

cphair · ‎09-04-2012

You can reorder the fields by piping your whole search to the fields command, specifying the order you want them to take.



... | fields all_req_invite_count, req_invite_orphan_count, dropPct, all_req_invite_count2,    req_invite_orphan_count2, dropPct2

</code.

fere · ‎09-04-2012

thx, worked.

Eval fields are returned in strange order when using transaction and join commands

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification