Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When showing data through table, can't sort in descending order because null > any numerical value

kkas
Path Finder
‎06-25-2015 05:48 AM

So I am displaying a ton of events with a very long table with tons of fields (input pkt, output pkt, input octet, output octet, duration...etc) to allow a user to quickly sort by whichever field they choose fit. The problem is when I try to sort through descending order, the null field is considered greater than any of the numerical values, so I have 10+ pages of straight null fields, but I don't want to exclude events with null values and I don't want to represent null fields with zero because that means two different things.
Is there a way to go about fixing the sorting issue caused by null?

My abbreviated search looks as follows

sourcetype=Alpha|table Username, IP_Address, Input_Octets|sort -Input_Octets

which outputs something like

Username    |   IP Address   |   Input_Octets
    derp        | 10.203....     | null  
\\\20 pages of null value in input_octet
    derp        | 10.203....     | 1321234
    derp        | 10.203....     | 123441
    derp        | 10.203....     | 0
Tags (3)
0 Karma
Reply

fdi01
Motivator
‎06-27-2015 10:41 PM

try like

 sourcetype=Alpha|eval Input_Octets=if(Input_Octets!="null",Input_Octets,-1)|table Username, IP_Address, Input_Octets|sort -Input_Octets
0 Karma
Reply

ngatchasandra
Builder
‎06-25-2015 06:18 AM

Hi kkas,

Try with

 sourcetype=Alpha|table Username, IP_Address, Input_Octets|sort -num(Input_Octets)
Reply

ngatchasandra
Builder
‎06-25-2015 06:45 AM

Try again with auto attribute. This will determine automatically how to sort the Input_Octets's values.

sourcetype=Alpha|table Username, IP_Address, Input_Octets|sort -auto(Input_Octets)
0 Karma
Reply

kkas
Path Finder
‎06-25-2015 06:27 AM

Cool, this worked for the most part. The one issue I have with this solution is when you try to click the different field tabs at the top to re-sort in different order, it goes back to being null>#. This conflicts with what I'm trying to do to allow the user to sort by clicking the field tabs for quick data analysis of different fields. I may just replace null with -1 and note the change in panel title.
Thanks for your input!

0 Karma
Reply

ngatchasandra
Builder
‎06-25-2015 06:40 AM

Do you want other solution?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...