Splunk Search

How to edit my search to sort individual values in fields?

raby1996
Path Finder

Hi all,

I have the following search

"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 | stats dc(Bundle) as count values(Bundle) as Bundle values(_time) as time list(time2) as Date values(time_diff) as time_diff values(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H)) 

Which returns a table that looks something like this:

 Machine_Serial  count  Bundle  time       Date        time_diff       tim_diff(H)
____________________________________________________________________________________________
 75123           3      1.1     1458049413  2016/03/16  6702139.000000   1134.5710532407 
                        1.3     1458053068  2013/04/2   98026939.000000  1135.5710532407
                        1.4     1464618084  2013/04/23  98113339.000000  77.57105324074 
--------------------------------------------------------------------------------------------
 75334           1      1.5     1464788901  2012/10/17  114356539.000000 1323.57105324074

I've been trying to sort based on the values of time_diff(H) using the sort command, however, it doesn't seem to work on the values in the same under the same group, so they'll be mismatched internally. I've attempted various sort commands, as well placing it in different locations, but I haven't been able to crack it. Is there any I can achieve this?

Thank you in advance.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed) 
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H)) 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed) 
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H)) 

raby1996
Path Finder

one note I changed the "times" to" timed" at the end of the 4th line

0 Karma

raby1996
Path Finder

Worked flawlessly, thank you.

0 Karma

sundareshr
Legend

Try sorting before the stats command?

0 Karma

raby1996
Path Finder

I've tried that, and the results are the same, still I appreciate the help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...