Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sort severity in search?

Ropermark
New Member
‎08-20-2018 07:22 AM

Hello all,

I am very new to Splunk and I am looking to sort by the following command:

index=server-farm Risk=Critical OR Risk=High OR Risk=Medium OR Risk=Low | chart count by index, Risk | addtotals

But the problem is when I see the result I see in the following order:

index  - Critical - High - Low - Medium - Total

I want to sort that in:

Index - Critical - High - Medium - Total

Could someone please help me how to sort that.

Thanks in advance.

0 Karma
Reply

niketn
Legend
‎08-20-2018 09:06 AM

@Ropermark you can try out the following SPL

 index=server-farm Risk=Critical OR Risk=High OR Risk=Medium OR Risk=Low 
| chart count by index, Risk
| rename Low as "1.Low",Medium as "2.Medium",High as "3.High",Critical as "4.Critical"
| table index 1.* 2.* 3.* 4.*
| rename 1.* as *, 2.* as *, 3.* as *, 4.* as *
| addtotals

Following is a run anywhere search example:

| makeresults
| eval data="Risk=Critical,index=a OR Risk=High,index=a OR Risk=Medium,index=b OR Risk=Low,index=b OR Risk=Critical,index=b OR Risk=High,index=b OR Risk=Medium,index=b OR Risk=Low,index=b"
| makemv data delim=" OR "
| mvexpand data
| rename data as _raw
| KV
| chart count by index, Risk
| rename Low as "1.Low",Medium as "2.Medium",High as "3.High",Critical as "4.Critical"
| table index 1.* 2.* 3.* 4.*
| rename 1.* as *, 2.* as *, 3.* as *, 4.* as *
| addtotals
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

Ropermark
New Member
‎08-24-2018 07:20 AM

Hello thanks for the reply..
But the problem is always same.

the result query answer is

Index | Critial | High | Low | Medium | Total

i want low after medium, in this way my graph will be what i want.

thanks for your help

0 Karma
Reply

niketn
Legend
‎08-25-2018 11:36 AM

Then use rename "1.Medium", "2.Low"... in the above SPL.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

tomawest
Path Finder
‎08-20-2018 08:56 AM

I suspect someone may be able to come up with a cleaner way, however this is the kind of approach I have taken in the past to this kind of issue.

index=server-farm Risk=Critical OR Risk=High OR Risk=Medium OR Risk=Low |
eval Risk=if(Risk="Critical","1:". Risk,if(Risk="High","2:". Risk,if(Risk="Medium","3:". Risk,"4:". Risk))) |
chart count by index, Risk |
rex field=Risk "[0-9]+:(?.+)" |
addtotals

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...