I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes field is not sorting alphabetically.
index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total
Any idea as to what I'm missing or not doing correctly?
Thx
The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try
index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total
Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)
The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try
index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total
Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)
Thx as that worked (as well as the explanation on sorting lexicographically). With that knowledge, I modified my search as below which allowed for sorting alphabetically on the Processes field.
index=sysmon | eval process=lower(process) | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total
Please copy your reply into the answer field so I can mark it as such, and thx again for the help!
Here you go.
Thx again!
Modified search to as below, but still no luck
index=sysmon | stats count by process,ParentImage | sort +str(process),-count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total
What sort order are you getting?
I get the correct sort order based on Total, but the Processes field is all over the place. Here's from the first listing:
cmd.exe
notepad++.exe
Update.exe
aruser.exe
firefox.exe
runonce.exe
Box Edit.exe
Box Local Com Service.exe
CCleaner64.exe
DellSystemDetect.exe
IAStorIconLaunch.exe
ImageTray.exe
ONENOTEM.EXE
OUTLOOK.EXE
OneDrive.exe
RDCMan.exe
SnippingTool.exe
WINWORD.EXE
chrome.exe
explorer.exe
lync.exe
netsession_win.exe
vmtoolsd.exe