Solved: How to sort by field?

jackpal · ‎06-27-2018

I am trying to get the highest used process percentage by user, however, I am unable to sort by the field I want to.

index=os sourcetype=top host=hostname
| chart sum(pctCPU) as CPU_USAGE by USER,COMMAND
| sort sum(pctCPU) desc 
| head 5

This produces a table but I'd like the chart to only show the top 5 users and the commands they are running sorted by their CPU_USAGE

cpetterborg · ‎06-27-2018

Does this do it for you?:

index=os sourcetype=top host=hostname
| stats sum(pctCPU) as CPU_USAGE by USER,COMMAND
| sort - CPU_USAGE
| head 5

jackpal · ‎06-27-2018

Thanks to all who responded.

cpetterborg · ‎06-27-2018

Does this do it for you?:

index=os sourcetype=top host=hostname
| stats sum(pctCPU) as CPU_USAGE by USER,COMMAND
| sort - CPU_USAGE
| head 5

renjith_nair · ‎06-27-2018

Hi @jackpal,

Try

index=os sourcetype=top host=hostname |fields USER,pctCPU,COMMAND|sort pctCPU desc|head 5| chart sum(pctCPU) as CPU_USAGE by USER,COMMAND

This will sort based on cpu usage not on the sum . If you need to sort on sum of cpu usage of a user then , try

    index=os sourcetype=top host=hostname |stats sum(pctCPU) as CPU_USAGE by USER,COMMAND
    |sort CPU_USAGE desc|head 5

Happy Splunking!

How to sort by field?