Splunk Search

My dashboard modifies the search command "sor"t and "fields"

clorne
Communicator

Hello,
I have a search rule that is perfectly working:
.... |
sort - 0 _time |
fields - _* |
fields data1 data 2 data3

I have created a dashboard and integrated the rule.
The result of the rule is wrong and I discovered that the string search had been modified:

"sort - 0 _time" => "sort-0 _time" and this command does not work; it does not sort time in the correct order
"fields - _*" gets " fields-
*" which is not doing the same thing; it does not remove the fields beginning by _

I have done many tests and this is reproductible 100%.
Each time the generation of the dashboard xml code corrupt my search string and I can not create a working dashboard.

Any ideas are welcome

Regards

0 Karma
1 Solution

justinatpnnl
Communicator

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3

View solution in original post

justinatpnnl
Communicator

I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:

sort 0 -_time

I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:

fields - _*

If your intended result was to end up with only the three fields at the end, you should be able to do this:

.... |
sort 0 -_time |
table data1 data2 data3

clorne
Communicator

Thansk a lot

0 Karma

jpolcari
Communicator

Check out the sort documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort

Give this a shot instead. This is the correct syntax:

sort 0 -_time

clorne
Communicator

Thanks a lot

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...