Splunk Search

how to sort rows result in descending order

mmouse88
Path Finder

Happy New Year!!!

my splunk query --> search command | timechart sum(quantity) as total span=1week by user limit=5 | sort -total

here's the row results I have which is total:

8 4 6 1 3

I want the sort to look like this:

1 3 4 6 8

Is it possible?

Thanks

Tags (3)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this workaround which will keep the column order but the column names will have a serial number in front of them.

search command | bucket span=1w _time | stats  sum(quantity) as total by _time user | sort 5 -total | streamstats count as sno | eval user=sno.")".user | xyseries _time user total

View solution in original post

jw44250
New Member
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this workaround which will keep the column order but the column names will have a serial number in front of them.

search command | bucket span=1w _time | stats  sum(quantity) as total by _time user | sort 5 -total | streamstats count as sno | eval user=sno.")".user | xyseries _time user total

mmouse88
Path Finder

Much appreciated somesoni2. This is what i'm looking for.

0 Karma

mmouse88
Path Finder

oh yea, one point to make. it does display in order but not really. here's what it shows if I have more than 10 say 11. Basically, it takes all the users that has a 1 in the front.

_time 1)user1 10)user2 11)user3 2)user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma

burwell
SplunkTrust
SplunkTrust

To sort in ascending order use the plus sign.

... sort +total

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi mmouse88,

With the timechart command, your total is always order by _time on the x axis, broken down into users.

If you want to order your data by total in 1h timescale, you can use the bin command, which is used for statistical operations that the chart and the timechart commands cannot process.
Please try this:

... | bin span=1h _time | stats sum(quantity) as total by _time, user| sort -total

For details about bin, please refer to:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Bin

Hope this helps, thanks!
Hunter

0 Karma

mmouse88
Path Finder

thx u Hunter for your response. I was able to achieve the same output as you adding this

| untable _time, user, total | sort -total

Not really what I was looking for. I want to keep the same format where it still display in row but change the order from descending.

_time user1 user2 user3 user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...