Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to sort individual values in...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-01-2016
02:09 PM
Hi all,
I have the following search
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 | stats dc(Bundle) as count values(Bundle) as Bundle values(_time) as time list(time2) as Date values(time_diff) as time_diff values(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
Which returns a table that looks something like this:
Machine_Serial count Bundle time Date time_diff tim_diff(H)
____________________________________________________________________________________________
75123 3 1.1 1458049413 2016/03/16 6702139.000000 1134.5710532407
1.3 1458053068 2013/04/2 98026939.000000 1135.5710532407
1.4 1464618084 2013/04/23 98113339.000000 77.57105324074
--------------------------------------------------------------------------------------------
75334 1 1.5 1464788901 2012/10/17 114356539.000000 1323.57105324074
I've been trying to sort based on the values of time_diff(H) using the sort command, however, it doesn't seem to work on the values in the same under the same group, so they'll be mismatched internally. I've attempted various sort commands, as well placing it in different locations, but I haven't been able to crack it. Is there any I can achieve this?
Thank you in advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
SplunkTrust
06-01-2016
09:52 PM
Give this a try
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed)
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
SplunkTrust
06-01-2016
09:52 PM
Give this a try
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed)
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-02-2016
11:17 AM
one note I changed the "times" to" timed" at the end of the 4th line
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-02-2016
11:16 AM
Worked flawlessly, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-01-2016
03:58 PM
Try sorting before the stats command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
raby1996
Path Finder
06-01-2016
05:17 PM
I've tried that, and the results are the same, still I appreciate the help.
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
