Hey,
In Splunk, you can sort your search results by field using the sort command.
Is it possible to sort search results by row?
E.g. If I have a search that produces the following table:
Day Total
1 Monday 93
2 Tuedsay 124
3 Thursday 356
4 Weekend 1022
5 Wednesday 248
and what I really want instead is this table below (showing the days in order):
Day Total
1 Monday 93
2 Tuedsay 124
3 Wednesday 248
4 Thursday 356
5 Weekend 1022
How would I be able to do this? Is this possible in Splunk? (Numbers 1-5 are just Splunk default table row numbers)
There is a solution, it's a little complicated though. You would need to create a field that can be sorted on first, since sorting on weekdays would sort in alphabetical order.
<your search> | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1,wd=="tuesday",2,wd=="wednesday",3,wd=="thursday",4,wd=="friday",5,wd=="weekend",6) | sort sort_field | fields - sort_field
Blockquote| eval wd=lower(Day) | eval sort_field=case(wd=="monday",1,wd=="tuesday",2,wd=="wednesday",3,wd=="thursday",4,wd=="friday",5,wd=="weekend",6) | sort sort_field | fields - sort_field
ฺbeside you ,change sort_filed to my field name ,What else I change wd value to my field name too ?
There is a solution, it's a little complicated though. You would need to create a field that can be sorted on first, since sorting on weekdays would sort in alphabetical order.
<your search> | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1,wd=="tuesday",2,wd=="wednesday",3,wd=="thursday",4,wd=="friday",5,wd=="weekend",6) | sort sort_field | fields - sort_field
I suspect that you need to use rex to create a field for the total and then sort by that field.