Splunk Search

How can I sort a field alphabetically and then by total?

jwalzerpitt
Influencer

I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes field is not sorting alphabetically.

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total

Any idea as to what I'm missing or not doing correctly?
Thx

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)

jwalzerpitt
Influencer

Thx as that worked (as well as the explanation on sorting lexicographically). With that knowledge, I modified my search as below which allowed for sorting alphabetically on the Processes field.

index=sysmon | eval process=lower(process) | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please copy your reply into the answer field so I can mark it as such, and thx again for the help!

somesoni2
SplunkTrust
SplunkTrust

Here you go.

0 Karma

jwalzerpitt
Influencer

Thx again!

0 Karma

jwalzerpitt
Influencer

Modified search to as below, but still no luck

index=sysmon | stats count by process,ParentImage | sort +str(process),-count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What sort order are you getting?

---
If this reply helps you, Karma would be appreciated.
0 Karma

jwalzerpitt
Influencer

I get the correct sort order based on Total, but the Processes field is all over the place. Here's from the first listing:

    cmd.exe
notepad++.exe
Update.exe
aruser.exe
firefox.exe
runonce.exe
Box Edit.exe
Box Local Com Service.exe
CCleaner64.exe
DellSystemDetect.exe
IAStorIconLaunch.exe
ImageTray.exe
ONENOTEM.EXE
OUTLOOK.EXE
OneDrive.exe
RDCMan.exe
SnippingTool.exe
WINWORD.EXE
chrome.exe
explorer.exe
lync.exe
netsession_win.exe
vmtoolsd.exe 
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...