Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I get my search results to sort properly?

dbcase
Motivator
‎09-19-2016 08:54 AM

Hi,

I have this search

index=main | rex "(?i)\".*? /(?P<URL_HEADER>\w+/\w+)"| rex "(?i) UCT\-(?P<URL_MICRO_SECONDS>\d+)"|rex "(GET)(?<statusget>)"|rex "(POST)(?<statuspost>)"|eval seconds=URL_MICRO_SECONDS/1000000|eventstats avg(seconds) as avgseconds by URL_HEADER|eventstats count(URL_HEADER) as urlcount by URL_HEADER|eval sortc=avgseconds*urlcount|chart values(sortc) sparkline(avg(seconds)) as Trend avg(seconds) as "Average Seconds" max(seconds) as "Maximum Seconds" min(seconds) as "Minimum Seconds" last(seconds) as Current perc90(seconds) as "90th Percentile" count(URL_HEADER) as "URL Execution Count" sparkline(count(statusget)) as "Trend - GET" count(statusget) as "# of GETs" sparkline(count(statuspost)) as "Trend - POST" count(statuspost) as "# of POSTs" by URL_HEADER|sort sortc|rename URL_HEADER as "URL Header - Click for Details"

And for whatever reason I cannot get it to sort on the sortc value. I get results that look like this.

alt text

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-19-2016 09:03 AM

You don't have a field called sortc after the chart command. You only have a field called values(sortc) You should either change to sort values(sortc) OR in your chart command alias the fieldname values(sortc) as sortc.

Just on a different note, you should be able to combine your two eventstats in to one. eventstats avg(seconds) as avgseconds count(URL_HEADER) as urlcount by URL_HEADER

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-19-2016 09:03 AM

You don't have a field called sortc after the chart command. You only have a field called values(sortc) You should either change to sort values(sortc) OR in your chart command alias the fieldname values(sortc) as sortc.

Just on a different note, you should be able to combine your two eventstats in to one. eventstats avg(seconds) as avgseconds count(URL_HEADER) as urlcount by URL_HEADER

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-19-2016 11:27 AM

Hi Sundareshr!

Ahhhh I wasn't aware that by using values(sortc) it actually changes the field name from sortc to "values(sortc)" interesting.

Thanks for the update on the eventstats!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...