Hi all
My question has to do with sorting , and basically my field looks like this where I want it sorted by the last bit that is in parenthesis ( as shown),
Dec12(V7)
April13(V71)
Nov14(V74)
However when I use the sort command I get back the field sorted in alphabetical order so-
April13(V71)
Dec12(V7)
Nov14(V74)
Is there any way I can achieve this?
Thank you
You could create an auxiliary field that you eventually hide from your results:
... | rex field=myfield "[A-Za-z]+\d{2}\(V(?<newfield>\d{2})\)"
| convert num(newfield)
| sort newfield
| fields myfield
rex
will create a new field that only contains the numeric portion in parentheses. Since you probably want to display V8 before V70 you need to treat the new field as a number, ignoring the "V".
Finally you can just ignore newfield
for displaying purposes
You could create an auxiliary field that you eventually hide from your results:
... | rex field=myfield "[A-Za-z]+\d{2}\(V(?<newfield>\d{2})\)"
| convert num(newfield)
| sort newfield
| fields myfield
rex
will create a new field that only contains the numeric portion in parentheses. Since you probably want to display V8 before V70 you need to treat the new field as a number, ignoring the "V".
Finally you can just ignore newfield
for displaying purposes
I apologize for such a late response,but would it it be possible to do this, where this field is derived from a csv file ( named "Group") that I'm comparing to my search data?
I think so! You can define a lookup from a CSV and pull in any data that's part of the CSV as long as you can match the value of one CSV column to a field in your event data. Take a look at the documentation for more details on lookups.
Great, thank you!