Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sort the column names alphabetically at the end of the search?

HattrickNZ
Motivator
‎03-11-2019 06:00 PM

This is my sample search: 

| makeresults 
     | eval data = "
1-Sep    657 34 35;
2-Sep    434 34 35;
    " 
     | makemv delim=";" data
     | mvexpand data
     | rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
     | fields + Date kpi1 kpi2 kpi3 | fields - _time
     | search kpi1 = * 
     |rename kpi1 as  "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
     | rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
     | rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
     | <command(s) goes here>

This gives me the columns in the following order - left to right

1/

Date    
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times  
Incoming Calls in Mobile Office Directions - Common Resources Application Failures  
Incoming Calls in Mobile Office Directions - Assignment Failures

Is there a command that I can add on that will sort these alphabetically to give me
2/

Date    
Incoming Calls in Mobile Office Directions - Assignment Failures
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times
Incoming Calls in Mobile Office Directions - Common Resources Application Failures

I know I can reorder the kpis in this part of the search
| fields + Date kpi1 kpi2 kpi3 |
But my question is more about after that and putting a specific command or commands to sort it alphabetically as 2/ above.
| <command(s) goes here>

Tags (3)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 06:06 PM

You can use * with table and it will do it in ascii order:

e.g. |table * (but this might have fields you need to remove with |fields -)

or |table Date Inc*

All the best

Reply

niketn
Legend
‎03-11-2019 06:42 PM

@chrisyoungerjds rather than using table a fields can be used directly, the same is anyways there in the current query:

| makeresults 
| eval data = "
 1-Sep    657 34 35;
 2-Sep    434 34 35;
     " 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)" 
| fields - _time 
| search kpi1 = * 
| rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times" 
| rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures" 
| rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
| fields + Date "Incoming Calls in Mobile Office Directions - *"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎03-11-2019 07:01 PM

Yes you are absolutly right. Better to use fields over table

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...