Re: Can if function be used with sort?

kamryn · ‎07-29-2019

I am working on a dashboard that has a radio button that can change a search between the two of the following

| stats count by fieldA

or

| stats dc(fieldA)

At the end of this search I would like to have a sort based on whether or not count or distinct count is being used.

sort - count

or

sort - distinct_count

Is this something that I can accomplish using the if function? The following is a non functional example of what I would like to do something like.

if(count==disctinct_count, sort - distinct_count, sort - count)

Thank you for any insight you might have.

sandeepmakkena · ‎10-16-2019

| eval sort_field = if(count==disctinct_count, distinct_count, count)
| sort -sort_field

You can try this.
Hope this helps, Thanks!

jacobpevans · ‎07-29-2019

No, there is no way to do this that I'm familiar with.

Could you just try changing one of the stats functions to rename the field? E.g. change:

| stats dc(fieldA)

to

| stats dc(fieldA) as count

then, keep the normal sort

| sort - count

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

Can if function be used with sort?

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!