Solved: Sorting a list

himynamesdave · ‎01-08-2014

Hi Splunkers!

My data looks like this - it may be familiar from a recent high-profile data leak 🙂

phone number, username, location
21209864XX, user001, london

My hypothesis is to test wether a phonenumber has created more than one account, which in theory should be impossible.

I want to see a table of phonenumbers and the usernames linked to them, sorted by the phonenumbers that are linked to the most usernames (hopefully that makes sense!)

I have run a search to group all usernames that share the same phonenumber.

index="sandbox" | stats list(phonenumber) by username

I want to sort the resulting table by the lists which contain the most usernames. The search below returns the number of events a unique phonenumber can be found, hence the amount of usernames it is connected too.

index="sandbox" | stats count(phonenumber) by phonenumber | sort -count(phonenumber)

What I'm struggling to do is link to two together, to sort the listed table. Can anyone help?

Thanks!

somesoni2 · ‎01-08-2014

Try following:

index="sandbox" | stats list(username) as usernames by phonenumber | eval count=mvcount(usernames) | sort -count

View solution in original post

somesoni2 · ‎01-08-2014

Try following:

index="sandbox" | stats list(username) as usernames by phonenumber | eval count=mvcount(usernames) | sort -count

Sorting a list

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms