Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sort the column names alphabetically at the end of the search?

HattrickNZ
Motivator
‎03-11-2019 06:00 PM

This is my sample search: 

| makeresults 
     | eval data = "
1-Sep    657 34 35;
2-Sep    434 34 35;
    " 
     | makemv delim=";" data
     | mvexpand data
     | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
     | fields + Date kpi1 kpi2 kpi3 | fields - _time
     | search kpi1 = * 
     |rename kpi1 as  "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
     | rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
     | rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
     | <command(s) goes here>

This gives me the columns in the following order - left to right

1/

Date    
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times  
Incoming Calls in Mobile Office Directions - Common Resources Application Failures  
Incoming Calls in Mobile Office Directions - Assignment Failures

Is there a command that I can add on that will sort these alphabetically to give me
2/

Date    
Incoming Calls in Mobile Office Directions - Assignment Failures
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times
Incoming Calls in Mobile Office Directions - Common Resources Application Failures

I know I can reorder the kpis in this part of the search
| fields + Date kpi1 kpi2 kpi3 |
But my question is more about after that and putting a specific command or commands to sort it alphabetically as 2/ above.
| <command(s) goes here>

Tags (3)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 06:06 PM

You can use * with table and it will do it in ascii order:

e.g. |table * (but this might have fields you need to remove with |fields -)

or |table Date Inc*

All the best

Reply

niketn
Legend
‎03-11-2019 06:42 PM

@chrisyoungerjds rather than using table a fields can be used directly, the same is anyways there in the current query:

| makeresults 
| eval data = "
 1-Sep    657 34 35;
 2-Sep    434 34 35;
     " 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)" 
| fields - _time 
| search kpi1 = * 
| rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
| rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
| rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
| fields + Date "Incoming Calls in Mobile Office Directions - *"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 07:01 PM

Yes you are absolutly right. Better to use fields over table

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...