This is my sample search:
| makeresults
| eval data = "
1-Sep 657 34 35;
2-Sep 434 34 35;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
| fields + Date kpi1 kpi2 kpi3 | fields - _time
| search kpi1 = *
|rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times"
| rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures"
| rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
| <command(s) goes here>
This gives me the columns in the following order - left to right
1/
Date
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times
Incoming Calls in Mobile Office Directions - Common Resources Application Failures
Incoming Calls in Mobile Office Directions - Assignment Failures
Is there a command that I can add on that will sort these alphabetically to give me
2/
Date
Incoming Calls in Mobile Office Directions - Assignment Failures
Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times
Incoming Calls in Mobile Office Directions - Common Resources Application Failures
I know I can reorder the kpis in this part of the search
| fields + Date kpi1 kpi2 kpi3 |
But my question is more about after that and putting a specific command or commands to sort it alphabetically as 2/ above.
| <command(s) goes here>
You can use *
with table and it will do it in ascii order:
e.g. |table *
(but this might have fields you need to remove with |fields -
)
or |table Date Inc*
All the best
@chrisyoungerjds rather than using table a fields can be used directly, the same is anyways there in the current query:
| makeresults
| eval data = "
1-Sep 657 34 35;
2-Sep 434 34 35;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<Date>\d+-\w+)\s+(?<kpi1>\d+)\s+(?<kpi2>\d+)\s+(?<kpi3>\d+)"
| fields - _time
| search kpi1 = *
| rename kpi1 as "Incoming Calls in Mobile Office Directions - Call Release by Bearer Fail Times"
| rename kpi2 as "Incoming Calls in Mobile Office Directions - Common Resources Application Failures"
| rename kpi3 as "Incoming Calls in Mobile Office Directions - Assignment Failures"
| fields + Date "Incoming Calls in Mobile Office Directions - *"
Yes you are absolutly right. Better to use fields
over table