How to sort listed data?

happy035 · ‎07-23-2014

I extracted some data from my set with this "stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason "
The I got follow result set.

failure_reason dst [N of Target]
not a http reply line 107.23..199 27
108.168..6 5
110.75.***.240 9

I'd like to sort dst field using [N of Target]. Could you tell me how can I do that please?
Then one more question, I want to watch dstes over count such as over 100 count. How can I complete that?

Many Thanks

happy035 · ‎07-23-2014

Hi Strive. It's correct. I want to extract destination list if count is greater than 100. But before it, I'd like to descending sort with N of Target.

strive · ‎07-23-2014

Basically you need to sort dst based on Count in ascending order? Additionally you want to see only those dst(s) which have count greater than 100. Is that right?

PPape · ‎07-23-2014

stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason | sort 100 - "N of Target"

Should show you the top 100 results sorted by N of Target

can you give an example for your second question? I'm not sure if I understand it correct.

PPape · ‎07-23-2014

Than try this:

stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason | where "N of Target" >= 100 | sort 1000 - "N of Target"

happy035 · ‎07-23-2014

Thanks for comment PPape,
When I executed my script, I got a unsorted set in "N of target". I want descended sorting data with "N of Target" field. 100 means if count is greater than 100, I will include data set.

How to sort listed data?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases