Hello dears,
How can i sort these field values ?
Field = "port"
OK. It seems I probably overcomplicated things.
You're probably good to go with
<base search> |rex field=ONT "^(?P<ONT>........)" | sort ONT | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT
| where Toplam_Sikayet >= 10
You might want to replace the sorting part with my other solution if it's not sorting numericaly.
Give this a try (using mvsort as the field values are multivalued. Also, moving 'where' filter just after stats, filter should be done as early as possible)
<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT
| where Toplam_Sikayet >= 10 | eval OLT_Port=mvsort(OLT_Port)
You're aware that after sorting the order of the port field does not correspond to the order of other mv-fields?
Hmm, you are right. Thank you for attention. Just only OLT_Port field values sorting without other mvalues fields. This is problem.
Regards.
If you want the other fields to be sorted according to field OLT_Port, try this version:
<base search> |rex field=ONT "^(?P<ONT>........)"
| stats count by Date OLT Saat ONT H REQUESTNAME
| sort Date OLT ONT
| stats sum(count) as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT
| where Toplam_Sikayet >= 10
Hello , It is working which i want but latest solution is more effortless and same result. just only adding | sort ONT.
So i will accept this.
Thank you very much, you are very kind.
Regards.
As I wrote before - mvsort sorts only values in a single multivalued field. Other fields have no way of "knowing" how to reorder.
So you need to sort the data when it's still in separate events and only afterwards aggregate them if needed (do you need those multivalued fields at all? As you can see they have ,any drawbacks)
Anyway, you needed something more like
<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet by Saat ONT H REQUESTNAME Date OLT
| where Toplam_Sikayet >= 10 | sort ONT | stats sum(Toplam_Sikayet) list(Saat) list(ONT) list(H) list(REQUESTNAME) by Date OLT
OK. It seems I probably overcomplicated things.
You're probably good to go with
<base search> |rex field=ONT "^(?P<ONT>........)" | sort ONT | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT
| where Toplam_Sikayet >= 10
You might want to replace the sorting part with my other solution if it's not sorting numericaly.
King regards , thank you again.
King Regards, it's ok now.
Also thank you for all other replays.
I love this community. 🙂
Sorry, i couldn't. Here is the real search query and result. I want the group or sort OLT_Port values;
<base search> |rex field=ONT "^(?P<ONT>........)" | stats count as Toplam_Sikayet list(Saat) as Saat list(ONT) as OLT_Port list(H) as Hizmet_ID list(REQUESTNAME) as Sikayet by Date,OLT |sort -OLT_Port
| where Toplam_Sikayet >= 10
Ahhh. Again (someone lately had similar problem - wasn't that you?) you're creating one multivalued field. You won't sort your data that way. Even if you managed to sort the data within this one column, there's no way to tell the other multivalued fields to reorder. So that's definitely not something you want.
Do not aggregate the fields.
Just do your stats, sort the data, then aggregate and stats again.
The sort command will sort them for you.
| sort port
this view also sort port but it is not sorting .
Please use more words. What exactly are you trying to do? How exactly are you trying to do it? What are the results? What results did you expect? What problem are you trying to solve?
these are port numbers and i want sort port with same numbers,
like this,
0/1/0/0
0/1/0/0
0/2/1/1
0/2/2/1
0/2/2/1
Regards.
I suppose your problem is that "normal" sort sorts the values as strings (lexicographically) and you want to have them sorted with numerical values of each "field".
Assuming you have your data in a field called "a"
<your_search> | rex field=a "(?<d1>\d+)/(?<d2>\d+)/(?<d3>\d+)/(?<d4>\d+)"
| sort d1 d2 d3 d4
| eval a=d1."/".d2."/".d3."/".d4