Sort Search Command Question

Question

Hey,

In Splunk, you can sort your search results by field using the sort command.

Is it possible to sort search results by row?

E.g. If I have a search that produces the following table:

Day Total

1 Monday 93

2 Tuedsay 124

3 Thursday 356

4 Weekend 1022

5 Wednesday 248

and what I really want instead is this table below (showing the days in order):

Day Total

1 Monday 93

2 Tuedsay 124

3 Wednesday 248

4 Thursday 356

5 Weekend 1022

How would I be able to do this? Is this possible in Splunk? (Numbers 1-5 are just Splunk default table row numbers)

Accepted Answer

2

There is a solution, it's a little complicated though. You would need to create a field that can be sorted on first, since sorting on weekdays would sort in alphabetical order.

<your search> | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1,wd=="tuesday",2,wd=="wednesday",3,wd=="thursday",4,wd=="friday",5,wd=="weekend",6) | sort sort_field | fields - sort_field

link

answered 22 Sep '10, 14:51

ziegfried ♦
10.0k●1●6●18
accept rate: 52%

Answer 2

0	I suspect that you need to use rex to create a field for the total and then sort by that field. link answered 22 Sep '10, 14:18 christopherutz 193●1●10 accept rate: 40%

Sort Search Command Question

Follow this question

Splunk Resources

Related questions