Splunk Search

How to Sort the "count by..." results

arkonner
Path Finder

I am using the search below for the locked out accounts - Should be possible to sort the result by the user with high number

Thank you in advance

`windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account
Tags (4)
1 Solution

javiergn
SplunkTrust
SplunkTrust

Do you need the timechart or a simple table would do the job?
If so:

windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1) 
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) 
| top limit=0 Locked_Account

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

Do you need the timechart or a simple table would do the job?
If so:

windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1) 
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) 
| top limit=0 Locked_Account
0 Karma

arkonner
Path Finder

Hi,

I need a Timechart with the User legend sorted by user with highest number of locked-out instead of legend sort in alphabetic order.

0 Karma

javiergn
SplunkTrust
SplunkTrust

That is a bit more complicated mainly because you don't have the totals per user and time in the same table.

The following might give you the best of both worlds:

windowsindex windowssourcetype "EventCode=644" OR "EventCode=4740"
| eval Win2K8_acc = mvindex(Account_Name,1) 
| eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) 
| timechart count by Locked_Account
| untable _time Locked_Account count
| eventstats sum(count) as total_count by Locked_Account
| xyseries _time Locked_Account count total_count

Let me know if that helps

0 Karma

arkonner
Path Finder

your search duplicate the results as "count" and "total_count" reporting and the user list is empty

Using the search below whit a "line chart" the Legend is in alphabetic order - I am looking to sort the legend from the user with the highest number of locked-out events.

 `windowsindex` `windowssourcetype` "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc = mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | timechart count by Locked_Account
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...