This is my search below. It shows Country and count. How do I sort the count field for largest to smallest?
index="cisco_asa" src_ip="*" dest_port="*" action="blocked" | fields src_ip | iplocation src_ip | stats count by Country
Add the following to the end of your search:
your search....| sort -count
Because there are fewer than 1000 Countries, this will work just fine but the default for sort
is equivalent to sort 1000
so EVERYONE should ALWAYS be in the habit of using sort 0
(unlimited) instead, as in sort 0 - count
or your results will be silently truncated to the first 1000.
Just an update, default is now 10000
now 1000
This is one of the most common gotchas I see among our users. Sure wish splunk would add some sort of tool tip or notification when such limits kick in.
that's a good one to keep in mind!