Sorting Duration and Getting the Top 10

splunknovice201 · ‎10-23-2013

I have a duration field in seconds. I wanted the format to be D+hh:mm:ss, so I used this:
eval dur_hhmmss=tostring(Duration,"duration")

Then I had to sort it to get the top 10, so I used the sort then head 10:
eval dur_hhmmss=tostring(Duration,"duration")| search dur_hhmmss="*" | chart latest(dur_hhmmss) as Duration by JOBNAME | sort Duration desc | head 10

I was expecting to see 1+18:36:16 (1+ is 1 DAY), at the top of the list but it's not getting displayed in the top 10 result set. If I remove head 10, which then would show all the result, I see 1+18:36:16 at the 19th spot, together with those 1hr results.

How do I get it to appear at the top 10 list? It looks like Splunk is seeing it as 1hr*

splunknovice201 · ‎10-23-2013

It worked, thank you!!

aholzer · ‎10-23-2013

The reason it's not working for you is because you have just turned the Duration into a string, and it will now sort alphabetically

Try this:

... | search dur_hhmmss="*" | chart latest(Duration) as Duration by JOBNAME | top limit=10 Duration | eval dur_hhmmss=tostring(Duration,"duration")

Basically you are doing all the calculations you want to do on the Duration while it's a number (integer), and then performing the transform to string at the end.

Hope this helps

Sorting Duration and Getting the Top 10

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes