Solved: How do you sort by a specific order by the values ...

johnward4 · ‎11-17-2018

I am trying to figure out if there's a way to sort my table by the Fields "Whs" which have values of :
GUE -- I want to show rows for GUE data first
GUR -- followed by GUR

I also need to sort by a field called "Type" and the sort needs to follow this order of type
Full_CS
Ovsz
PTL
B_Bay
Floor

then repeat in that order showing rows for GUR.

Here's my current query

index=test sourcetype="example" 
| stats values(Machine) as Machine, values(Whs) as Whs, values(Dscrptn) as Dscrptn, values(Percent_Sorted) as Percent_Sorted, sum(Total_CS) as Total_CS, sum(Online_CS) as Online_CS, sum(Inducted_CS) as Inducted_CS, sum(FullCSUnits) as FullCSUnits, sum(Full_CS) as Full_CS, sum(BTS) as BTS, sum(Total_Packed) as Total_Packed, sum(Total_VAS) as Total_VAS, sum(In_VAS) as In_VAS, sum(Total_Non_Vas) as Total_Non_Vas, sum(eval(Total_Units_Machine - (Total_Units_Machine * Percent_Sorted / 100))) as RmnngUnits by Wave, _time
| table Machine, Whs, Wave, Dscrptn, Percent_Sorted, RmnngUnits, Total_CS, Online_CS, Inducted_CS, FullCSUnits, Full_CS, BTS, Total_VAS, Total_Non_Vas, In_VAS, Total_Packed
| sort WHS, Type

gcusello · ‎11-17-2018

Hi johnward4,
if you want to sort in alphabetical order, your search is aleady Ok,
if instead you want to sort in a different order, you have to use an hide field, in other words:

 index=test sourcetype="example" 
 | stats values(Machine) as Machine, values(Whs) as Whs, values(Dscrptn) as Dscrptn, values(Percent_Sorted) as Percent_Sorted, sum(Total_CS) as Total_CS, sum(Online_CS) as Online_CS, sum(Inducted_CS) as Inducted_CS, sum(FullCSUnits) as FullCSUnits, sum(Full_CS) as Full_CS, sum(BTS) as BTS, sum(Total_Packed) as Total_Packed, sum(Total_VAS) as Total_VAS, sum(In_VAS) as In_VAS, sum(Total_Non_Vas) as Total_Non_Vas, sum(eval(Total_Units_Machine - (Total_Units_Machine * Percent_Sorted / 100))) as RmnngUnits by Wave, _time
 | table Machine, Whs, Wave, Dscrptn, Percent_Sorted, RmnngUnits, Total_CS, Online_CS, Inducted_CS, FullCSUnits, Full_CS, BTS, Total_VAS, Total_Non_Vas, In_VAS, Total_Packed
| eval rank=case(Type="Full_CS","1",Type="Ovsz","2",Type="PTL","3",Type="B_Bay","4",Type="Floor",5")
| sort WHS, Rank
| fields - Rank

Bye.
Giuseppe

View solution in original post

gcusello · ‎11-17-2018

Hi johnward4,
if you want to sort in alphabetical order, your search is aleady Ok,
if instead you want to sort in a different order, you have to use an hide field, in other words:

 index=test sourcetype="example" 
 | stats values(Machine) as Machine, values(Whs) as Whs, values(Dscrptn) as Dscrptn, values(Percent_Sorted) as Percent_Sorted, sum(Total_CS) as Total_CS, sum(Online_CS) as Online_CS, sum(Inducted_CS) as Inducted_CS, sum(FullCSUnits) as FullCSUnits, sum(Full_CS) as Full_CS, sum(BTS) as BTS, sum(Total_Packed) as Total_Packed, sum(Total_VAS) as Total_VAS, sum(In_VAS) as In_VAS, sum(Total_Non_Vas) as Total_Non_Vas, sum(eval(Total_Units_Machine - (Total_Units_Machine * Percent_Sorted / 100))) as RmnngUnits by Wave, _time
 | table Machine, Whs, Wave, Dscrptn, Percent_Sorted, RmnngUnits, Total_CS, Online_CS, Inducted_CS, FullCSUnits, Full_CS, BTS, Total_VAS, Total_Non_Vas, In_VAS, Total_Packed
| eval rank=case(Type="Full_CS","1",Type="Ovsz","2",Type="PTL","3",Type="B_Bay","4",Type="Floor",5")
| sort WHS, Rank
| fields - Rank

Bye.
Giuseppe

johnward4 · ‎11-17-2018

Thank you @cusello ! this is exactly what I needed

Keysofsandiego · ‎09-06-2019

The Last 2 fields should be lowercase rank's (not camelcase Rank). as the eval is creating a new field called "rank"

 | sort WHS, rank
 | fields - rank

That being said DUDE ThAnKs! YoU ToTaLlY gOt Me WhAt I nEeDeD! 
=)

UPVOTE HIS ANSWER PLZ!

johnward4 · ‎11-17-2018

Here's an example from a dashboard I'm trying to replicate in Splunk.

How do you sort by a specific order by the values of a field?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!