I have a filed1 whose values are like below
TS - asfdfe sdrerw
TS - ieirrrr werr
TS - ierr werflll
BS - errriowr erer
AB - erewr erer
CS - ierwrr her
I want to create a temporary filed to sort these values
eval temp_field1= field1 where field1=TS*
eval temp_field2= field1 where field1=!TS*
then in my query i want to sort temp_field1 and temp_field2 separately.
@surekhasplunk, I hope you are trying to sort all field values containing TS first
in ascending order. Then you want to add remaining values sorted afterwards
.
Please try out the following run anywhere search based on your sample data. I have jumbled TS and other fields for testing sort.
| makeresults
| eval data="CS - ierwrr her;TS - defirrrr werr;TS - abcr werflll;BS - errriowr erer;AB - derwr erer;TS - asfdfe sdrerw"
| eval data=split(data,";")
| mvexpand data
| eval field1=mvindex(data,0)
| table field1
| sort field1
| eval sortOverride=case(match(field1,"^TS - "),"Y",true(),"N")
| appendpipe [| where sortOverride="N" | eval sortOverride="Y" ]
| search sortOverride="Y"
@somesoni2, I was so blown away by your use of appendpipe
yesterday that I wanted to try it myself... thanks for teaching a new trick 🙂
Hi @niketnilay and @somesoni2
Thanks but it isn't working as expected its just giving me each line 6 times without calculating anything.
am getting like below :
CS - ierwrr her Null%
... 6 times Null%
CS - ierwrr her
TS - defirrrr werr
... 6times
TS - defirrrr werr
etc.
if I have 2 values in data separated by ; then mvexpand is giving me 4 values in the result .. if 3 values then 6 like that. How to get single values
field1 value "^TS" sum them addtotals and then rest of the rows and at the end sum total of all lines. This is what I need.
And how do I add these lines now as earlier I was sorting with row number but now am sorting with pattern.
| addcoltotals label=Total labelfield=field1 | streamstats count as sno
| appendpipe [| head 7 | addcoltotals label=Total labelfield=field1 | eval keep="Y" ]
@surekhasplunk, first Un-accept the answer, if your query is not resolved, so that this question flags as unanswered for other community members as well.
In my run anywhere example the pipes till | table field1
were just used to mock sample data as per your question. You dont need to use those pipes.
You would need to write your own Splunk search query with required transforming command to output the table. Then continue with commands in the answer to be applied on field1
(as per the question).
Please try out and confirm. Try out other answers suggested by Guiseppe and Somesh as well to see if caters to your needs and resolves your issue or not.
You need to use either match
or like
function of eval to generate your temporary fields like this.
your current search with field 'field1'
| eval temp_field1=if(match(field1,"^TS"),field1,null())
| eval temp_field2=if(NOT match(field1,"^TS"),field1,null())
OR
your current search with field 'field1'
| eval temp_field1=if(like(field1,"TS%"),field1,null())
| eval temp_field2=if(NOT like(field1,"TS%"),field1,null())
Sorting can be done by any field (or in specific order of combination of those fields) using sort command.
Hi surekhasplunk,
did you already tested
| eval temp_field1=if(field1=TS*,field1," "), temp_field2=if(field1!=TS*,field1," ")
In this way you can sort them as you like
Bye.
Giuseppe
The creation of temporary fields will be pretty straightforward:
| eval temp_field1=if(field1="TS*", field1, NULL)
| eval temp_field2=if(field1="TS*", NULL, field1)
And then you can sort by either field:
| sort temp_field1
OR |sort temp_field2